Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Thu, 15 Jan 2009 07:25:20 +0100
From: Thomas Biege <thomas@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: update on CVE-2008-5718

> > I am not very happy with the patch because it just filters a handful of
> > characters, a better solution would be to replace popen().
> > (I mentioned this on the netatalk-devel ML but got no answer so far.)
> 
> It is no full shell escape but escapes everything that 
> should be relevant for command injection. Sure, replacing 
> the popen would be the better option but I was not too happy 
> doing this as I guess it's more likely to break existing 
> functionality with it by accident.

Yes, such a patch need to come from upstream.


-- 
Bye,
     Thomas
-- 
 Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
-- 
           Hamming's Motto:
           The purpose of computing is insight, not numbers.
                                -- Richard W. Hamming

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux