Hello.

I see that my patch [1] was overlooked and then [2] was written the next day. It introduces at least 2 new code executions vulnerabilities relating to filenames containing $(..). I would recommend you avoid executing /bin/sh.

[1] http://lists.gnu.org/archive/html/bug-patch/2018-04/msg00000.html
[2] http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d

Reply via email to