An issue was discovered in mgetty before 1.2.1. In fax/faxq-helper.c, the function do_activate() does not properly sanitize shell metacharacters to prevent command injection. It is possible to use the ||, &&, or > characters within a file created by the "faxq-helper activate <jobid>" command.
{ "binaries": [ { "binary_name": "mgetty", "binary_version": "1.1.36-2.1+deb8u1build0.16.04.1" }, { "binary_name": "mgetty-docs", "binary_version": "1.1.36-2.1+deb8u1build0.16.04.1" }, { "binary_name": "mgetty-fax", "binary_version": "1.1.36-2.1+deb8u1build0.16.04.1" }, { "binary_name": "mgetty-pvftools", "binary_version": "1.1.36-2.1+deb8u1build0.16.04.1" }, { "binary_name": "mgetty-viewfax", "binary_version": "1.1.36-2.1+deb8u1build0.16.04.1" }, { "binary_name": "mgetty-voice", "binary_version": "1.1.36-2.1+deb8u1build0.16.04.1" } ], "availability": "No subscription required" }