On Mon, Dec 03, 2007 at 11:31:27AM +0100, Gerd Hoffmann wrote:
> Moritz Muehlenhoff wrote:
> > Since fbi is not suitable for non-interactive use and the filename would
> > need to contain the commands to be executed I don't consider this a
> > security problem. Still, it should be fixed.
> >
> I
Moritz Muehlenhoff wrote:
> Since fbi is not suitable for non-interactive use and the filename would
> need to contain the commands to be executed I don't consider this a
> security problem. Still, it should be fixed.
>
It is at least quite hard to exploit remotely. Even when configuring
fbi as
Jakub Wilk wrote:
> Package: fbi
> Version: 2.05-2
> Severity: normal
>
> $ F='"; echo buggy > buggy.log; : "'
> $ touch "$F"
> $ fbi "$F" 2>/dev/null
> $ cat buggy.log
> buggy
Confirmed. The problems is the use of popen() if an image is displayed
which needs to be converted by imagemagick:
i
Package: fbi
Version: 2.05-2
Severity: normal
$ F='"; echo buggy > buggy.log; : "'
$ touch "$F"
$ fbi "$F" 2>/dev/null
$ cat buggy.log
buggy
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (900, 'testing'), (600, 'unstable'), (500, 'experimental')
Architecture:
4 matches
Mail list logo
