tags 665696 + security clone 665696 -1 reassign -1 gosa retitle -1 gosa: unescaped arguments used on a command line found -1 gosa/2.6.11-3 found -1 gosa/2.6.11-3+squeeze1 fixed -1 gosa/2.7.3-1 tags -1 + squeeze fixed-upstream blocks 665696 by -1 thanks
Hi! So, the problem here was that %userPassword, or similar string substitutions into command lines specified in gosa.conf, are not escaped; and adding quotes to the gosa.conf file cannot properly escape them either. On 27/03/12 10:27, Petter Reinholdtsen wrote: > [Samuel Krempp] >> [...] to escape userPassword (in functions.inc). > > OK. Then I believe we should patch gosa instead to fix it properly > and completely, and get a fix into squeeze. For r1 we should probably > provide our own patched package, until a update make it into squeeze > proper. I was going to suggest we chase this upstream, but then I noticed: > * gosa 2.6.12 > - Escaped command line arguments in some locations > - Updated password handling and hooks, allows sepcial chars in passwords > - Added lock/unlock events for users > $ grep -nR %userP gosa-core-2.6.13/ > gosa-core-2.6.13/include/functions.inc:3075: $command= > preg_replace("/%userPassword/", escapeshellarg($password), $command); > $ ls -al gosa-core-2.6.13/include/functions.inc > -rw-r--r-- 1 steven steven 104887 Dec 14 2010 > gosa-core-2.6.13/include/functions.inc They already fixed this in the 2.6 series (back in December), and apparently made similar fixes in other places too? In my opinion the fixes of 2.6.12 want to go into Debian s-p-u. Maybe even to security if it could be an issue outside of Debian Edu; fortunately I think the 'sudo' command line in gosa.conf was something specific to Debian Edu and that other GOsa users are not at such a risk by default. Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4f71967d.9050...@pyro.eu.org