[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#66390: `man' allows to inject arbitrary shell code
From: |
lux |
Subject: |
bug#66390: `man' allows to inject arbitrary shell code |
Date: |
Tue, 10 Oct 2023 22:30:03 +0800 |
User-agent: |
Evolution 3.50.0-1 |
On Tue, 2023-10-10 at 17:54 +0700, Max Nikulin wrote:
> On 09/10/2023 23:30, lux wrote:
> >
> > Here's my patch and the test cases.
>
> Thank you for your attempt to fix the issue. Unfortunately the proposed
> patch breaks the following case
>
> M-x man RET -k man RET
>
> That is why I wrote that each word should escaped independently.
>
> I am unsure if (man "-k man") should be supported as call with argument.
>
>
>
Thanks for the correction :-)
I am fix my patch, and test on Emacs 30.0.50 it's ok.
Stefan, Max, can you test it again?
0001-Fix-man.el-code-injection-vulnerability.patch
Description: Text Data
- bug#66390: `man' allows to inject arbitrary shell code, (continued)
- bug#66390: `man' allows to inject arbitrary shell code, lux, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, Ihor Radchenko, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, Andreas Schwab, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, lux, 2023/10/09
- bug#66390: `man' allows to inject arbitrary shell code, Stefan Kangas, 2023/10/10
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/10
- bug#66390: `man' allows to inject arbitrary shell code, Stefan Kangas, 2023/10/10
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/10
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/10
- bug#66390: `man' allows to inject arbitrary shell code,
lux <=
- bug#66390: `man' allows to inject arbitrary shell code, Andreas Schwab, 2023/10/10
- bug#66390: `man' allows to inject arbitrary shell code, lux, 2023/10/10
- bug#66390: `man' allows to inject arbitrary shell code, Max Nikulin, 2023/10/11
- bug#66390: `man' allows to inject arbitrary shell code, Stefan Kangas, 2023/10/20
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/21
- bug#66390: `man' allows to inject arbitrary shell code, Andreas Schwab, 2023/10/21
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/21
- bug#66390: `man' allows to inject arbitrary shell code, Stefan Kangas, 2023/10/21
- bug#66390: `man' allows to inject arbitrary shell code, Richard Stallman, 2023/10/08
- bug#66390: `man' allows to inject arbitrary shell code, Eli Zaretskii, 2023/10/09