Hi Folks, This bug was reported upstream and partly fixed in Dec 2008:
http://www.gccxml.org/Bug/view.php?id=8083 There were *two* scripts with the problem. One was MIPSpro/find_flags, the other was "gccxml_find_flags" which was the one fixed (and later replaced by a C++ implementation anyway). At the time I missed that the MIPSpro one evaluates content of the file from /tmp in a shell as command-line arguments, permitting the back-tick evaluation attack. No one ever re-opened the bug to point that out or forwarded this Debian report upstream until now. I re-opened the upstream report with a link to this report, committed a fix, and closed it again with a reference to the commit. -Brad -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
