[Bug 735394] New: sysconfig: Improper quoting of variable (wireless AP related)
https://bugzilla.novell.com/show_bug.cgi?id=735394 https://bugzilla.novell.com/show_bug.cgi?id=735394#c0 Summary: sysconfig: Improper quoting of variable (wireless AP related) Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: jnelson-suse@jamponi.net QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20100101 Firefox/8.0 In this context, the variable "CONFIG" comes from the *name* of the AP one might be associated with in a wireless environment (which can contain just about any old cruft.) In my case, I connected to a network with a space in the name, and *happened* to be watching /var/log/messages and /var/log/NetworkManager. This is what I saw: Dec 7 09:41:23 some_laptop dbus-daemon[20761]: scripts/ifup-services: line 98: test: ./ifcfg-wlan0-Uphill: binary operator expected Line 98-100 reads: test -f ./ifcfg-$CONFIG && . ./ifcfg-$CONFIG if [ -d "ifservices-$CONFIG" ] ; then cd ifservices-$CONFIG The first and third lines make use of $CONFIG _unquoted_. I can see this being a potential security issue. It's probably worth auditing the rest of the associated files for similar issues. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=735394 https://bugzilla.novell.com/show_bug.cgi?id=735394#c2 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium --- Comment #2 from Swamp Workflow Management <swamp@suse.de> 2011-12-07 23:00:28 UTC --- bugbot adjusting priority -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=735394 https://bugzilla.novell.com/show_bug.cgi?id=735394#c5 --- Comment #5 from Ludwig Nussel <lnussel@suse.com> 2011-12-12 16:09:46 CET --- CVE-2011-4182 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=735394 https://bugzilla.novell.com/show_bug.cgi?id=735394#c7 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:44544:moderat | |e --- Comment #7 from Swamp Workflow Management <swamp@suse.de> 2011-12-12 15:40:28 UTC --- The SWAMPID for this issue is 44544. This issue was rated as moderate. Please submit fixed packages until 2011-12-26. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=735394 https://bugzilla.novell.com/show_bug.cgi?id=735394#c12 --- Comment #12 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-12-19 14:00:43 CET --- This is an autogenerated message for OBS integration: This bug (735394) was mentioned in https://build.opensuse.org/request/show/97040 12.1 / sysconfig https://build.opensuse.org/request/show/97041 11.4 / sysconfig https://build.opensuse.org/request/show/97042 11.3 / sysconfig https://build.opensuse.org/request/show/97043 Factory / sysconfig -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=735394 https://bugzilla.novell.com/show_bug.cgi?id=735394#c Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:44544:moderat |maint:running:44544:moderat |e |e obs:running:155:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=735394 https://bugzilla.novell.com/show_bug.cgi?id=735394#c14 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:44544:moderat |maint:running:44544:moderat |e obs:running:155:moderate |e obs:running:155:moderate | |maint:released:sle10-sp3:44 | |624 --- Comment #14 from Swamp Workflow Management <swamp@suse.de> 2012-01-11 11:09:04 UTC --- Update released for: sysconfig, sysconfig-debuginfo Products: SLE-SERVER 10-SP3-TERADATA (x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=735394 https://bugzilla.novell.com/show_bug.cgi?id=735394#c15 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #15 from Ludwig Nussel <lnussel@suse.com> 2012-01-19 13:24:23 CET --- released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=735394 https://bugzilla.novell.com/show_bug.cgi?id=735394#c16 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:44544:moderat |maint:running:44544:moderat |e obs:running:155:moderate |e obs:running:155:moderate |maint:released:sle10-sp3:44 |maint:released:sle10-sp3:44 |624 |624 | |maint:released:sle10-sp4:44 | |625 --- Comment #16 from Swamp Workflow Management <swamp@suse.de> 2012-02-08 14:09:31 UTC --- Update released for: sysconfig, sysconfig-debuginfo Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=735394 https://bugzilla.novell.com/show_bug.cgi?id=735394#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:44544:moderat |obs:running:155:moderate |e obs:running:155:moderate |maint:released:sle10-sp3:44 |maint:released:sle10-sp3:44 |624 |624 |maint:released:sle10-sp4:44 |maint:released:sle10-sp4:44 |625 |625 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=735394 https://bugzilla.novell.com/show_bug.cgi?id=735394#c17 --- Comment #17 from Bernhard Wiedemann <bwiedemann@suse.com> 2012-02-17 23:00:53 CET --- This is an autogenerated message for OBS integration: This bug (735394) was mentioned in https://build.opensuse.org/request/show/105749 Evergreen:11.2 / sysconfig -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=735394 https://bugzilla.novell.com/show_bug.cgi?id=735394#c18 --- Comment #18 from Bernhard Wiedemann <bwiedemann@suse.com> 2012-02-22 14:00:24 CET --- This is an autogenerated message for OBS integration: This bug (735394) was mentioned in https://build.opensuse.org/request/show/106448 Evergreen:11.2 / sysconfig -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=735394 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:155:moderate |maint:released:sle10-sp3:44 |maint:released:sle10-sp3:44 |624 |624 |maint:released:sle10-sp4:44 |maint:released:sle10-sp4:44 |625 |625 | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com