Comment 5 for bug 1172341
Revision history for this message
|
|
#5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
I'm also obligated by full disclosure to point out
the reason (a CVE a few years back) why '~' (and other
characters) were not included in rpm Version: strings.
Many scripts/tools construct shell commands using
values in metadata: rpmbuild is one of those tools,
there are others.
E.g. rpmbuild removes the build tree whose name is constructed
from NVR tags in metadata. Consider this *.spec metadata:
Name: N
Version: V~whatever
Release: R
from which data rpmbuild constructs a command
rm -rf N-V~whatever
preparing for a build.
All that is needed to trick rpmbuild into removing
one's home directory is an alternative representation
for a space character in some shell context surrounding
the twiddle so that the command becomes
rm -rf N-V ~ whatever
A closely related exploit that appended ";rm -rf ~" to
the Name: value (but using alternative representations of
the ' ' character was reported to vendor-sec like 4 years ago