Ubuntu
checkinstall package

doesn't sanitize command line inputs

Bug #338956 reported by Marian Sigler
2
Affects Status Importance Assigned to Milestone
checkinstall (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Binary package hint: checkinstall

(Hardy, checkinstall version: 1.6.1-5ubuntu1)
When using an option like --requires 'foo (>=1.0)' checkinstall interprets that parameter:

      --requires)
         shift
         REQUIRES=`eval echo $1`
         ;;

Which leads to some warnings:
 /usr/bin/checkinstall: eval: line 494: syntax error near unexpected token `('
 /usr/bin/checkinstall: eval: line 494: `echo foo (>=1.0)'

I think that's not as it should be. One expects the given options to be used as provided and not to be interpreted. If I want to use a command's output I'd use --requires "$(somecommand)", not --requires \`somecommand\`.

While looking around found another problem:
function shell_escape() {
        for str in "$@" ; do
                echo -n "\"$str\" "
        done;
        echo
}
This interprets variables and other $... stuff in $str, if there is a " in $str, it gets even worse. It should for example be escaped with single quotes (and single quotes in the string replaced with '\'')

Revision history for this message
Andreas Noteng (andreas-noteng) wrote :

Can you please try with the latest development release of ubuntu (lucid) and see if the problem persists?
Thanks for reporting this bug.

Changed in checkinstall (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for checkinstall (Ubuntu) because there has been no activity for 60 days.]

Changed in checkinstall (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.