We wanted to inform all major *nix distributions via our responsible
disclosure policy about this problem before posting it, because it is
highly likely that this problem could lead to local root access on many
distributions. But, since part of this research contained in the document
was mentioned on some blog entries, we are forced to release it in a
full version.
Download URL:
http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txtRegards,
Leon Juranic
Is there any fix or workaround?
ReplyDeleteWake/grow up guys: find -print0, xargs -r0, grep -Z, sort -z have been recomended with explicit mention of file/directory names starting with "-" within ALT Linux Secure Packaging Policy by Dmitry Levin back in 2001 or so.
ReplyDelete