salamander2
commented
3 years ago The two major security issues are
- (i) using && to break out of the jail ( pwd && bash ) and
- (ii) using ctrl-v ctrl-j to break out of the jail ( pwd
v j bash)
It is critical to get these fixed. These render lshell completely useless to anyone who can google "lshell security flaw"
The security alerts say that the command line parser is too complex to fix. Sad.
:boom: https://github.com/omega8cc/lshell <<< Omega8CC HAS FIXED THE SECURITY ISSUES
FYI: here is a list of the forks as of April 2021 that have commits ahead of this official repo. Maybe one of them can take over this project.
omega8cc/lshell 15 commits ahead! smateusjr/lshell SpamExperts/lshell lberra/lshell fy2462/lshell georgpad-zz/lshell deltablue-cloud/lshell doodlecoge/lshell
And here are the 95 current forks (incase someone else forks it tomorrow and fixes everything!)
0mp / lshell 26618929 / lshell affix / lshell akpotter / lshell amift / lshell AnonymousCoward01 / lshell Autisticguy / lshell axelsimon / lshell bbotte / lshell blocky2019 / lshell bnahin / lshell brigriffin / lshell caiqing0204 / lshell chasemp / lshell chaunceyhan / lshell cristicVictory / lshell debackel / lshell deltablue-cloud / lshell devahil / lshell devlato / lshell djoffrey / lshell doodlecoge / lshell Doomfires / lshell dpalominop / lshell dripfeeder / lshell EdwardBetts / lshell fbarbeira / lshell fredericlepied / lshell fy2462 / lshell georgpad-zz / lshell gilshwartz / lshell h-imaoka / lshell hejin / lshell Hodor228 / lshell HtHuanChen / lshell huaichaow / lshell ii0 / lshell jfucanada / lshell jianyongchen / lshell JohnDup / lshell kamade / lshell kofekyzy / lshell LaiJingli / lshell lberra / lshell lbvffvbl / lshell lichi6174 / lshell lionffen / lshell liujunhub / lshell ljhmily / lshell lotapp / lshell Louiehao / lshell lx6XC / lshell makefu / lshell marciopocebon / lshell maulinglawns / lshell msarun003 / lshell neutronstein / lshell olax / lshell omega8cc / lshell p0rietea / lshell pgeof / lshell qiueer / lshell rahulotwani / lshell rahuls-bidgely / lshell RaminNietzsche / lshell rebellion-mobile / lshell regardfs / lshell sadlar / lshell salamander2 / lshell saulwold / lshell Seraf / lshell shammishailaj / lshell simudream / lshell smateusjr / lshell SpamExperts / lshell Spencerx / lshell sqreb / lshell sunytonyli / lshell szaydel / lshell tazjel / lshell tecoholic / lshell trbs / lshell unb-read / lshell Veon / lshell visokos / lshell wgngoo / lshell wjtxt / lshell xbestwiz / lshell yuanguoping / lshell zaxebo1 / lshell zeus911 / lshell zjarci / lshell zouyapeng / lshell zyp0209 / lshell
gdsotirov
omega8cc
ajmeese7
Jayman2000
I'm opening this as an issue, because I see no option to start a discussion.
Apparently, the project is not being actively maintained anymore (see #188 and #209). There are two open security issues (see CVE-2016-6902 and CVE-2016-6903). Distributions like Fedora has stopped providing packages for this more than two years ago.
I'd like to ask for update on project's status (considering last commit was almost 2 years ago). And more importantly ask for alternatives. Please, share your thoughts and suggestions.