The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename.
-
Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
---|---|---|---|---|---|
debian/m4 | deb | debian | 12 | >=1.4.19-3 | Not yet available |
debian/m4 | deb | debian | 11 | >=1.4.18-5 | Not yet available |
debian/m4 | deb | debian | unstable | >=1.4.19-4 | Not yet available |
debian/m4 | deb | debian | 10 | >=1.4.18-2 | Not yet available |
debian/m4 | deb | debian | 13 | >=1.4.19-4 | Not yet available |
Severity and metrics
No CVSS data available from this source.
10
-
-