LBU does not escape spaces in filenames
If a file exists in /etc/ with a space in it, lbu will not escape the character properly - it will try to treat the file as 2 files. The line causing the issue is line 258 (where the variable currentlist gets generated based on the apk audit command). When it is used in subsequent tar commands (like on line 271), the command fails because one of the files doesn’t exist.
Tried to work around the issue by replacing line 258 with:
currentlist=$(apk audit —backup -q | sed -e “s/\(.*\)/\‘\1\’/”)
Tar however doesn’t seem to like getting filenames that are enclosed by quotation marks.
Another aspect to this bug is that there could potentially be semi-colons in filenames. If a file was altered maliciously and the string “;rm -rf /” was added to a filename in /etc, this could be executed via the tar command. LBU should escape that type of character properly.
(from redmine: issue id 472, created on 2010-11-11, closed on 2010-12-09)
- Revision 269b0608c97936af72cf817f79a74dc2c42811bb by Natanael Copa on 2010-11-22T16:22:38Z:
lbu: add support for filenames with spaces in /etc ref #472
- Revision 7016b230 on 2010-12-03T08:59:05Z:
main/alpine-conf: upgrade to 2.5.4 ref #472 ref #480
- Revision 202d4fde on 2010-12-03T14:44:05Z:
main/alpine-conf: upgrade to 2.5.4 fixes #472 fixes #480 (cherry picked from commit 7016b23025fc387306f35a04391fe2bcd8eebcc2)