Hi Ludovic, * Ludovic Rousseau <[EMAIL PROTECTED]> [2008-10-27 16:47]: > On Mon, Oct 27, 2008 at 1:06 PM, Matthias Wandel <[EMAIL PROTECTED]> wrote: > > So what is the security vulnerability? > > > > You can use it to delete files, but why not just use "rm"? > > If I understand correctly we have two problems (from [1]) > 2 - unsafe temp file creation
Yes but this is not exactly the same problem like the static name that was used before. > 4 - shell escapes > > I think "unsafe temp file creation" is referring to the use of > unlink() at line 329 of jhead.c. I don't think it is a grave problem. Correct. > "shell escapes" is more serious since you use system() at line 339 of > jhead.c without escaping any special characters a file name could > contain. Correct, that is the problem. Crafted file names can execute commands in the shell. > For example if you have a file named "foo.jpg ; rm -rf ~" you could > make bad things without noticing. > Yes, you should be stupid to use such a file name. All the issues recently released for jhead are not really important, the problem are non-interactive setups where jhead is called from scripts. > > Unless of course you run it as setuid root, but why would you go out ot your > > way to do that? > > A solution would be to use one of the exec(3) system calls instead of > system(3). Yes or to filter the string. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpQsr21c0Y53.pgp
Description: PGP signature
