Source: roxterm Version: 2.6.5-1 Severity: grave Tags: security When trying to click on an URL inside the roxterm window that contains a single quote ('), the resulting command sent to the shell includes this quote and is interpreted by the shell, for example:
http://example.com/quote'here will be handled as x-www-browser 'http://example.com/quote'here' In this example, shell will complain that there's no closing quote before the end of command, but I can guess this can be (ab)used for some more interesting scenarious, like to spawn commands unexpectedly: http://example.com/one'foo|bar'two or the like. The charset allowed in this context does not contain space and tab, so it isn't directly possible to run some even more interesting commands (like rm -rf /), but it is enough for a good exploit already. I think this issue deserves a CVE#. Thanks, /mjt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org