On Sun, Sep 22, 2013 at 06:57:47PM +0200, steph...@bortzmeyer.org wrote: > Package: efingerd > Version: 1.6.2.7+nmu1 > Severity: important > > Dear Maintainer, > > I'm afraid the default scripts in /etc/efingerd has a security > weakness. They use $2 (the client IP address or host name) without > escaping it. Since the efingerd package runs by default *without* the > -n option, $2 will be a host name controlled by the client. If the > name returned by the DNS PTR query is something like: > > foobar" ; do_something_evil > > bad things can happen. >
Hi, could you please specify which script is affected by this? The "$2" is in quotes, and anyway it is invoked via execl(3), so I cannot find a way how to subvert the script - that is not to say I do not believe this is a real risk, I just do not see an obvious way how to exploit it. Best, -- ----------------------------------------------------------- | Radovan GarabĂk http://kassiopeia.juls.savba.sk/~garabik/ | | __..--^^^--..__ garabik @ kassiopeia.juls.savba.sk | ----------------------------------------------------------- Antivirus alert: file .signature infected by signature virus. Hi! I'm a signature virus! Copy me into your signature file to help me spread!
signature.asc
Description: Digital signature
