From 80a3b2d2bee33edc1b4dd781d62bb22b5db97570 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 1 Apr 2026 11:56:00 +0000
Subject: [PATCH] Fix RCE vulnerabilities: path traversal in virusforget and
 unquoted command substitution in build-fm-shim-backend

- Validate --user parameter against a strict alphanumeric pattern to prevent
  path traversal attacks that could allow arbitrary file operations as root
- Quote pkg-config command substitutions to prevent word-splitting injection

https://claude.ai/code/session_01AuD3r15oCtTSHus57Xjmzy
---
 .../build-fm-shim-backend#security-misc-shared            | 8 ++++----
 .../security-misc/virusforget#security-misc-shared        | 5 +++++
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/usr/libexec/security-misc/build-fm-shim-backend#security-misc-shared b/usr/libexec/security-misc/build-fm-shim-backend#security-misc-shared
index 04a24756..84795eb9 100755
--- a/usr/libexec/security-misc/build-fm-shim-backend#security-misc-shared
+++ b/usr/libexec/security-misc/build-fm-shim-backend#security-misc-shared
@@ -46,12 +46,12 @@ gcc_hardening_options+=(
 
 gcc \
   -g \
-  $(pkg-config --cflags dbus-1) \
-  $(pkg-config --cflags libsystemd) \
+  "$(pkg-config --cflags dbus-1)" \
+  "$(pkg-config --cflags libsystemd)" \
   /usr/src/security-misc/fm-shim-backend.c \
   -o /usr/bin/fm-shim-backend \
-  $(pkg-config --libs dbus-1) \
-  $(pkg-config --libs libsystemd) \
+  "$(pkg-config --libs dbus-1)" \
+  "$(pkg-config --libs libsystemd)" \
   "${gcc_hardening_options[@]}" \
   || {
     printf "%s\n" 'Could not compile fm-shim-backend executable!'
diff --git a/usr/libexec/security-misc/virusforget#security-misc-shared b/usr/libexec/security-misc/virusforget#security-misc-shared
index 9b02de84..6436eaf3 100755
--- a/usr/libexec/security-misc/virusforget#security-misc-shared
+++ b/usr/libexec/security-misc/virusforget#security-misc-shared
@@ -85,6 +85,11 @@ parse_cmd_options() {
       echo "ERROR: must set --user username" >&2
       exit 1
    fi
+
+   if [[ ! "$user_name" =~ ^[a-zA-Z0-9._-]+$ ]]; then
+      echo "ERROR: Invalid username format. Only alphanumeric characters, dots, underscores, and hyphens are allowed." >&2
+      exit 1
+   fi
 }
 
 variables() {