Bug#769719: nviboot fails to send recovery mail

Control: tags -1 + security * Adam M. Costello , 2014-11-15, 20:47: (su - nobody -s /bin/sh -c "$SENDMAIL $owner < $i" &) /dev/null 2>&0 Note that "$i" is a name of a file any user can create. This allows executing arbitrary code as user "nobody". PoC exploit: $

Bug#769719: nviboot fails to send recovery mail

Package: nvi Version: 1.81.6-11+b1 Severity: important Tags: patch Dear Maintainer, /etc/init.d/nviboot attempts to send mail about recovery from crashed editor sessions, but the attempt fails due to a misplaced quote. This line: (su - nobody -s /bin/sh -c $SENDMAIL