Package: dict Version: 1.12.0+dfsg-5 Severity: normal File: /usr/bin/dictl Tags: patch upstream
dictl (unlike dict) does not handle apostrophe correctly: % dictl "won't" /usr/bin/dictl: 1: eval: Syntax error: Unterminated quoted string This means arbitrary code execution if dictl is used in a script accepting untrusted data (but dictl is not suitable for such scripts anyway due to lack of "--" argument support): % dictl -- "asdfasdf';echo qqq;beep;':" No definitions found for "asdfasdf" qqq --- /usr/bin/dictl 2012-05-20 23:52:40.000000000 +0400 +++ ./dictl 2012-06-17 15:07:45.000000000 +0400 @@ -75,9 +75,9 @@ cmd='dict' while test $# -ne 0; do - cmd="$cmd '$1'" + cmd="$cmd '`printf "%s" "$1"|sed "s/'/'"'"'"'"'"'"'/g"`'" shift done -cmd=$(echo $cmd | charset2charset $DICTL_CHARSET $DICTL_SERVER_CHARSET) +cmd=$(printf "%s" "$cmd" | charset2charset $DICTL_CHARSET $DICTL_SERVER_CHARSET) -eval $cmd -P - | charset2charset $DICTL_SERVER_CHARSET $DICTL_CHARSET +eval "$cmd" | charset2charset $DICTL_SERVER_CHARSET $DICTL_CHARSET -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (900, 'testing'), (400, 'stable') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages dict depends on: ii libc6 2.13-33 ii libmaa3 1.3.1-1 ii netbase 5.0 ii recode 3.6-20 Versions of packages dict recommends: ii gawk 1:4.0.1+dfsg-2 ii m4 1.4.16-3 Versions of packages dict suggests: ii dictd [dict-server] 1.12.0+dfsg-5 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org