Potential arbitrary execution in expandvars
Bug #2055348 reported by
Mitch Burton
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
landscape-client (Ubuntu) |
Fix Released
|
High
|
Mitch Burton |
Bug Description
landscape.
This function is currently only executed using values defined in Ubuntu Core configuration, but this is still an external source and we should do shell-like expansion in a way that does not allow for execution of the user-provided values.
Related branches
~mitchburton/ubuntu/+source/landscape-client:2055348-fix-expandvars-arb-exec
Merged
into
ubuntu/+source/landscape-client:ubuntu/devel
at
revision e5d57da68ec9b347c27ce40fed76beab2083d5df
- Andreas Hasenack: Approve
-
Diff: 115 lines (+95/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/2055348-fix-expandvars-arb-exec.patch (+87/-0)
debian/patches/series (+1/-0)
Changed in landscape-client (Ubuntu): | |
importance: | Undecided → High |
Changed in landscape-client (Ubuntu): | |
status: | New → In Progress |
To post a comment you must log in.
Upstream replacement with python here: https:/ /github. com/canonical/ landscape- client/ pull/222
Will produce patch.