-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > There is a command injection flaw in lsyncd, a file change monitoring > and synchronization daemon: > > https://github.com/axkibe/lsyncd/issues/220 > > https://github.com/creshal/lsyncd/commit/18f02ad013b41a72753912155ae2ba72f2a53e52 > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767227
Use CVE-2014-8990. The scope of this CVE ID includes both: 1. code execution with ` characters or other characters that are special to a shell 2. denial of service scenarios in which a user with write access to a local directory uses special characters to make synchronization fail (might have security relevance in some scenarios) The MITRE CVE team does not have a Lua expert. The code change adds: local path1 = event.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') local path2 = event2.path:gsub ('"', '\\"'):gsub ('`', '\\`'):gsub ('%$','\\%$') This does not seem to be the typical fix approach for unsafe input to a shell. Has anyone concluded that this is an incomplete fix that ought to be modified before the 2.1.6 release? - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUbY53AAoJEKllVAevmvmsovEH/RdJAnkv4IR3AiSZ9RUVjmn7 5U52az+5OPJLx3P3Z7MrEytMirvjrr3/tWYu06FDfOFRgwSc0lbt5DHjr2+dBemw kSsuw7BUc7NBAploOFyX/HEqafSYNs4ykRCKxtYhrnqq9R/pa+E86Ol74lxqqXX+ 0gwKt3j49qrs+t7Ll7QWn3BdnGgtLNjMn0Zh2kgczUnevZ4wY4ssohM5JQXC9ImS IlbXuy0INovx9j1DBplNrGQ07p3ETjH0gcYcucb/MvS6r1RaJXXrrg3bd5CUVEpj kwyDtPrs/LuSj+Gi+wq4xRBpzmXxLoJ2yc4Czg+ch5qFToXx0cu9Zo/LOJB9m9g= =q6u/ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org