Potential arbitrary execution in expandvars
Bug #2055348 reported by
Mitch Burton
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| landscape-client (Ubuntu) |
Fix Released
|
High
|
Mitch Burton | ||
Bug Description
landscape.
This function is currently only executed using values defined in Ubuntu Core configuration, but this is still an external source and we should do shell-like expansion in a way that does not allow for execution of the user-provided values.
Related branches
~mitchburton/ubuntu/+source/landscape-client:2055348-fix-expandvars-arb-exec
Merged
into
ubuntu/+source/landscape-client:ubuntu/devel
at
revision e5d57da68ec9b347c27ce40fed76beab2083d5df
- Andreas Hasenack: Approve
-
Diff: 115 lines (+95/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/2055348-fix-expandvars-arb-exec.patch (+87/-0)
debian/patches/series (+1/-0)
| Changed in landscape-client (Ubuntu): | |
| importance: | Undecided → High |
Revision history for this message
| Mitch Burton (mitchburton) wrote | #1 |
| Changed in landscape-client (Ubuntu): | |
| assignee: | nobody → Mitch Burton (mitchburton) |
| Changed in landscape-client (Ubuntu): | |
| status: | New → In Progress |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in landscape-client (Ubuntu): | |
| status: | In Progress → Fix Released |
To post a comment you must log in.
Upstream replacement with python here: https:/
Will produce patch.