Package: dict
Version: 1.12.0+dfsg-5
Severity: normal
File: /usr/bin/dictl
Tags: patch upstream
dictl (unlike dict) does not handle apostrophe correctly:
% dictl "won't"
/usr/bin/dictl: 1: eval: Syntax error: Unterminated quoted string
This means arbitrary code execution if dictl is used in a script
accepting untrusted data (but dictl is not suitable for such scripts
anyway due to lack of "--" argument support):
% dictl -- "asdfasdf';echo qqq;beep;':"
No definitions found for "asdfasdf"
qqq
--- /usr/bin/dictl 2012-05-20 23:52:40.000000000 +0400
+++ ./dictl 2012-06-17 15:07:45.000000000 +0400
@@ -75,9 +75,9 @@
cmd='dict'
while test $# -ne 0; do
- cmd="$cmd '$1'"
+ cmd="$cmd '`printf "%s" "$1"|sed "s/'/'"'"'"'"'"'"'/g"`'"
shift
done
-cmd=$(echo $cmd | charset2charset $DICTL_CHARSET $DICTL_SERVER_CHARSET)
+cmd=$(printf "%s" "$cmd" | charset2charset $DICTL_CHARSET
$DICTL_SERVER_CHARSET)
-eval $cmd -P - | charset2charset $DICTL_SERVER_CHARSET $DICTL_CHARSET
+eval "$cmd" | charset2charset $DICTL_SERVER_CHARSET $DICTL_CHARSET
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (900, 'testing'), (400, 'stable')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages dict depends on:
ii libc6 2.13-33
ii libmaa3 1.3.1-1
ii netbase 5.0
ii recode 3.6-20
Versions of packages dict recommends:
ii gawk 1:4.0.1+dfsg-2
ii m4 1.4.16-3
Versions of packages dict suggests:
ii dictd [dict-server] 1.12.0+dfsg-5
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
