http://bugzilla.opensuse.org/show_bug.cgi?id=910500 Neil Brown <nfbrown@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(security-team@sus | |e.de) --- Comment #10 from Neil Brown <nfbrown@suse.com> --- Thanks for the report. I have submitted an update for 13.2 and Factory which makes this change: +- mdadm --detail --export "$dev" > $tmp || continue ++ mdadm --detail --export "$dev" | grep '^MD_UUID=' > $tmp || continue to the mdcheck script. You could easily do that by hand rather than wait for the update. Comment #6 is correct that this could be a security issue. If a USB device with carefully crafted metadata were plugged into an openSUSE host, the array would be automatically assembled. If it was still there at 1am when the mdcheck script is run by cron, then shell code from the array name would be executed. Security-team: is there anything else I should do w.r.t. the security aspect? -- You are receiving this mail because: You are on the CC list for the bug.