|
|
@@ -36,8 +36,10 @@ GCC, Glibc, and Make</seg></seglistitem>
|
|
|
|
|
|
<screen><userinput>patch -Np1 -i ../&bzip2-docs-patch;</userinput></screen>
|
|
|
|
|
|
-<para><command>Bzgrep</command> fails to sufficiently sanitise filenames passed
|
|
|
-to it. Apply the following to address this:</para>
|
|
|
+<para><command>Bzgrep</command> does not escape '|' and '&' in filenames passed
|
|
|
+to it. This allows arbitrary commands to be executed with the privileges of the
|
|
|
+user running <command>bzgrep</command>. Apply the following to address this:
|
|
|
+</para>
|
|
|
|
|
|
<screen><userinput>patch -Np1 -i ../&bzip2-bzgrep-patch;</userinput></screen>
|
|
|
|
Ken Moffat