Package: sanoid Version: 2.2.0-1 Severity: important Tags: upstream patch Hi,
line 496 of syncoid reads $recvoptions .= " -o $key=$value"; this string is then apparently passed to a shell, which will split $value into words on whitespace, causing the zfs command line to become invalid at best and do something nasty at worst (think e.g. "zfs set foo='; zpool destroy tank'" or "zfs set foo='$(cat /path/to/secret/file)'" -- I haven't determined whether these would "work" but they might). The following looks like a valid quick fix, but I don't know enough perl to be sure: $recvoptions .= " -o $key='''$value'''"; Justification for severity 'important': this is serious (potentially security relevant) breakage but it doesn't affect everyone. AndrĂ¡s -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (350, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=hu_HU.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 Init: runit (via /run/runit.stopit) sanoid recommends no packages. sanoid suggests no packages. -- I've often asked myself what kind of idiot makes up taglines, and now I know.
