http://bugzilla.novell.com/show_bug.cgi?id=539976 Summary: command injection in preload Classification: openSUSE Product: openSUSE 11.2 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Blocker Priority: P5 - None Component: Basesystem AssignedTo: coolo@novell.com ReportedBy: meissner@novell.com QAContact: qa@suse.de CC: security-team@suse.de Found By: Security Response Team prepare_preload has a command injection issue. my $blocks = qx{/sbin/print-bmap $f 2>/dev/null}; should perhaps be my $blocks = qx{/sbin/print-bmap "$f" 2>/dev/null}; otherwise you could have fiulenames with ;rm /etc/passwd or $(id) or so in it. (I saw this with filenames with ( ) in them already.) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.