Closed PDegenPortnoy closed 6 years ago
The last tagged release of ohcount is from 2009. The latest master code does not have this issue. We have pushed a new release tag, https://github.com/blackducksoftware/ohcount/releases/tag/v3.1.0.
Why not close this issue then? Also for people looking at commit fixing the issue, it seems to be this one: https://github.com/blackducksoftware/ohcount/commit/6bed45d6fb7c080ae5c163c12b4eb8749a3492ac
As reported in bugs.debian.org, there is a critical defect in Ohcount.
The issue, in brief, is that an attack can be executed by using a specially crafted file name that will cause Ohcount to execute arbitrary statements in a shell as the user that is running Ohcount.
The Black Duck Open Hub team is aware of the report and defect and is working on a fix.