Hi there, Has a Debian CVE been filed for this bug? Might be present in other distros too, so could be useful to publish one.
Thanks, Haoxi On Tue, 8 Mar 2022 at 06:08, Marc Haber <[email protected]> wrote: > Control: outlook -1 write test case, fix issue > thanks > > On Tue, Sep 17, 2019 at 01:22:46PM +0000, Haoxi Tan wrote: > > A command injection vulnerability has been found in the deluser > > program in the adduser package. > > Embarrassing. My own bug. system() should never be used with a string, > just with an array, to avoid a shell being used to execute the code. The > culprit is > > if (system("crontab -l $user >/dev/null 2>&1") == 0) { > > which should be rewritten to use systemcall(). Probably it would be wise > to adapt systemcall() to allow redirections. > > Greetings > Marc > >

