On Mon, Oct 27, 2008 at 1:06 PM, Matthias Wandel <[EMAIL PROTECTED]> wrote: > So what is the security vulnerability? > > You can use it to delete files, but why not just use "rm"?
If I understand correctly we have two problems (from [1]) 2 - unsafe temp file creation 4 - shell escapes I think "unsafe temp file creation" is referring to the use of unlink() at line 329 of jhead.c. I don't think it is a grave problem. "shell escapes" is more serious since you use system() at line 339 of jhead.c without escaping any special characters a file name could contain. For example if you have a file named "foo.jpg ; rm -rf ~" you could make bad things without noticing. Yes, you should be stupid to use such a file name. > Unless of course you run it as setuid root, but why would you go out ot your > way to do that? A solution would be to use one of the exec(3) system calls instead of system(3). Bye [1] http://www.openwall.com/lists/oss-security/2008/10/16/3 -- Dr. Ludovic Rousseau -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
