Kicksecure · assisted-by-ai · Apr 1, 2026 · ArrayBolt3 · Apr 5, 2026 · ArrayBolt3
diff --git a/usr/libexec/security-misc/build-fm-shim-backend#security-misc-shared b/usr/libexec/security-misc/build-fm-shim-backend#security-misc-shared
@@ -46,12 +46,12 @@ gcc_hardening_options+=(
 
 gcc \
   -g \
-  $(pkg-config --cflags dbus-1) \
-  $(pkg-config --cflags libsystemd) \
+  "$(pkg-config --cflags dbus-1)" \
+  "$(pkg-config --cflags libsystemd)" \
   /usr/src/security-misc/fm-shim-backend.c \
   -o /usr/bin/fm-shim-backend \
-  $(pkg-config --libs dbus-1) \
-  $(pkg-config --libs libsystemd) \
+  "$(pkg-config --libs dbus-1)" \
+  "$(pkg-config --libs libsystemd)" \
   "${gcc_hardening_options[@]}" \
   || {
     printf "%s\n" 'Could not compile fm-shim-backend executable!'

diff --git a/usr/libexec/security-misc/virusforget#security-misc-shared b/usr/libexec/security-misc/virusforget#security-misc-shared
@@ -85,6 +85,11 @@ parse_cmd_options() {
       echo "ERROR: must set --user username" >&2
       exit 1
    fi
+
+   if [[ ! "$user_name" =~ ^[a-zA-Z0-9._-]+$ ]]; then
+      echo "ERROR: Invalid username format. Only alphanumeric characters, dots, underscores, and hyphens are allowed." >&2
+      exit 1
+   fi
 }
 
 variables() {