On Wed, Oct 27, 2010 at 08:33:56PM +0200, Volker Armin Hemmann wrote: > please show me some enterprise distros incorporating that patch.
I didn't test that patch; even if it's incorrect, bugreport is not about a patch. It's about a security issue. For example, look here: http://seclists.org/fulldisclosure/2010/Oct/344 This proof-of-concept exploit still works in gentoo (amd64 stable at least, even hardened!), because some dangerous variables are not filtered out. (note if you want to test it: vixie-cron won't execute created file because it's not executable. Either use another crond, or use exploit to create e.g. udev rule instead of crontab entry). Another similar vulunerability caused by not filtering some variables was found about a week ago. I don't know if it still works in Gentoo, because hardened is not affected by that one. http://seclists.org/fulldisclosure/2010/Oct/257
