On Wed, 10 Mar 2010, Dan Nelson wrote: > In the last episode (Mar 09), Don Armstrong said: > > popen shouldn't be used with user data; there is arbitrary remote code > > execution when using -x. > > > > You can temporarily disable -x; see > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573228 for more > > details. > > I've got a preliminary patch at > http://savannah.nongnu.org/bugs/index.php?29136 that replaces popen() with a > popenv() function that takes an execv-style argument array; it's untested at > the moment since I don't use -x myself.
Yeah, it's not the default in Debian either. I'll try to whip up a test for this a bit later, but the patch basically does what I was planning on doing too. Thanks for responding quickly! Don Armstrong -- It seems intuitively obvious to me, which means that it might be wrong -- Chris Torek http://www.donarmstrong.com http://rzlab.ucr.edu _______________________________________________ Spamass-milt-list mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/spamass-milt-list
