Hi there,

Has a Debian CVE been filed for this bug? Might be present in other distros
too, so could be useful to publish one.


Thanks,
Haoxi

On Tue, 8 Mar 2022 at 06:08, Marc Haber <[email protected]>
wrote:

> Control: outlook -1 write test case, fix issue
> thanks
>
> On Tue, Sep 17, 2019 at 01:22:46PM +0000, Haoxi Tan wrote:
> > A command injection vulnerability has been found in the deluser
> > program in the adduser package.
>
> Embarrassing. My own bug. system() should never be used with a string,
> just with an array, to avoid a shell being used to execute the code. The
> culprit is
>
> if (system("crontab -l $user >/dev/null 2>&1") == 0) {
>
> which should be rewritten to use systemcall(). Probably it would be wise
> to adapt systemcall() to allow redirections.
>
> Greetings
> Marc
>
>

Reply via email to