------- Comment From ifran...@de.ibm.com 2018-11-20 10:32 EDT------- Regarding fork&exec: This would not solve the PATH security problem either. So we would also need to build our own PATH environment for exec.
Regarding libcryptsetup use: Yes we could do this, but we are generating different type of command, "cryptsetup luksFormat" and "cryptsetup plainOpen". Implementing this based ob libcryptsetup would basically mean to re-implement lost of what is in cryptsetup already. So we would have to maintain it, keep it current with cryptsetup, etc. Lost of things that we don't have to do the in the current approach. Also, these commands are only generated when --run option is specified, otherwise we just output the command string. Regarding shell escape vulnerabilities: The key file name is passed quoted to system, so that should be safe. Also if the key file name is checked when generating the key already, so you won't be able to generate a key with such a name. If you find a way to escape, then please open a new Bugzilla to report that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1803958 Title: [UBUNTU] zkey: Fails to run commands generated by 'zkey cryptsetup' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1803958/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
