Problem Description:
When bsdinstall or bsdconfig are prompted to scan for nearby
Wi-Fi networks, they build up a list of network names and use
bsddialog(1) to prompt the user to select a network. This is
implemented using a shell script, and the code which handled network
names was not careful to prevent expansion by the shell. As a
result, a suitably crafted network name can be used to execute
commands via a subshell.
Impact:
The problem can be exploited to execute code as root on the
system running bsdinstall or bsdconfig. The attacker would need
to create an access point with a specially crafted name and be
within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig
are vulnerable as soon as the user prompts them to scan for nearby
networks; they do not need to actually select the malicious
network.