r6700 - in trunk/BOOK: . chapter01 chapter03 chapter06

Ken Moffat ken at linuxfromscratch.org
Thu Aug 18 09:03:06 PDT 2005


On Thu, 18 Aug 2005, Randy McMurchy wrote:

> ken at linuxfromscratch.org wrote these words on 08/18/05 10:35 CST:
>
> > Log:
> > Added bzgrep security patch
> >
> > +<para><command>Bzgrep</command> fails to sufficiently sanitise filenames passed
> > +to it. Apply the following to address this:</para>
>
> What is the chance this could be reworded so that it means something
> to folks not familiar with the bug? 'fails to sufficiently sanitise
> filenames' is meaningless to me.
>
 How about "does not escape '|' and '&' in filenames passed to it.
This allows arbitrary commands to be executed with the privileges of the
user running bzgrep" ?

 Guess I've been looking at way too many vulnerability reports, I'm
starting to understand some of the terminology.

Ken
-- 
 das eine Mal als Tragödie, das andere Mal als Farce




More information about the lfs-book mailing list