diff --git a/service/lib/agama/manager.rb b/service/lib/agama/manager.rb index 51067c0e1..3874d4b71 100644 --- a/service/lib/agama/manager.rb +++ b/service/lib/agama/manager.rb @@ -19,6 +19,8 @@ # To contact SUSE LLC about this file by physical or electronic mail, you may # find current contact information at www.suse.com. +require "shellwords" + require "yast" require "agama/config" require "agama/network" @@ -236,7 +238,7 @@ def valid? # # @return [String] path to created archive def collect_logs(path: nil) - opt = "-d #{path}" unless path.nil? || path.empty? + opt = "-d #{path.shellescape}" unless path.nil? || path.empty? `agama logs store #{opt}`.strip end diff --git a/service/package/rubygem-agama-yast.changes b/service/package/rubygem-agama-yast.changes index ad5609505..68d9fe4ac 100644 --- a/service/package/rubygem-agama-yast.changes +++ b/service/package/rubygem-agama-yast.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Oct 14 14:52:26 UTC 2024 - Ladislav Slezák + +- Fixed shell injection vulnerability in the internal API + (gh#agama-project/agama#1668) + ------------------------------------------------------------------- Tue Oct 8 12:25:08 UTC 2024 - Ancor Gonzalez Sosa