Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (

chicken-hackers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (

From:	Mario Domenech Goulart
Subject:	Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (load)ing ./.csirc
Date:	Fri, 15 Mar 2013 21:16:48 -0400
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux)

On Fri, 15 Mar 2013 11:47:20 +0100 Peter Bex <address@hidden> wrote:

> On Fri, Mar 15, 2013 at 06:58:42AM +0100, Florian Zumbiehl wrote:
>> Remove (load)ing of ./.csirc on csi startup as it can lead to execution of
>> untrusted code.
>
> This is pretty serious.  I'll request a CVE and issue an advisory
> shortly, once this patch has gone in.  Attached is a slightly improved
> patch which just ignores HOME if it's empty, as that's a little
> friendlier (it's not serious if HOME is empty and it can be easily
> recovered from).
>
> I've also added a note to NEWS.
>
> I nominate this patch for inclusion into the stability branch.

Thanks Florian and Peter.  I have pushed the patch.


Best wishes.
Mario
-- 
http://parenteses.org/mario

[Prev in Thread]

Current Thread

[Next in Thread]

[Chicken-hackers] [PATCH 1/4] csi dirseparator?: don't treat backslash as dir separator on non-windows, Florian Zumbiehl, 2013/03/15
- [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (load)ing ./.csirc, Florian Zumbiehl, 2013/03/15
  - Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (load)ing ./.csirc, Peter Bex, 2013/03/15
    - Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (load)ing ./.csirc, Florian Zumbiehl, 2013/03/15
    - Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (load)ing ./.csirc, Peter Bex, 2013/03/15
    - Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (load)ing ./.csirc, Mario Domenech Goulart <=
    - Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (load)ing ./.csirc, Jim Ursetto, 2013/03/15
- [Chicken-hackers] [PATCH 4/4] files split-directory: don't split on backslashes on non-windows, Florian Zumbiehl, 2013/03/15
  - Re: [Chicken-hackers] [PATCH 4/4] files split-directory: don't split on backslashes on non-windows, Christian Kellermann, 2013/03/15
    - Re: [Chicken-hackers] [PATCH 4/4] files split-directory: don't split on backslashes on non-windows, Florian Zumbiehl, 2013/03/15
- [Chicken-hackers] [PATCH 3/4] Remove ##sys#expand-home-path., Florian Zumbiehl, 2013/03/15
  - Re: [Chicken-hackers] [PATCH 3/4] Remove ##sys#expand-home-path., Florian Zumbiehl, 2013/03/15
    - Re: [Chicken-hackers] [PATCH 3/4] Remove ##sys#expand-home-path., Felix, 2013/03/15
    - Re: [Chicken-hackers] [PATCH 3/4] Remove ##sys#expand-home-path., Jim Ursetto, 2013/03/15
    - Re: [Chicken-hackers] [PATCH 3/4] Remove ##sys#expand-home-path., Peter Bex, 2013/03/15
    - Re: [Chicken-hackers] [PATCH 3/4] Remove ##sys#expand-home-path., Jim Ursetto, 2013/03/15

Prev by Date: Re: [Chicken-hackers] [PATCH 3/4] Remove ##sys#expand-home-path.
Next by Date: Re: [Chicken-hackers] [PATCH 1/4] csi dirseparator?: don't treat backslash as dir separator on non-windows
Previous by thread: Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (load)ing ./.csirc
Next by thread: Re: [Chicken-hackers] [PATCH 2/4] csi: fix untrusted code execution by (load)ing ./.csirc
Index(es):
- Date
- Thread