## PDSA-2023-005: Command injection in fs.py### CVE NumberCVE-2023-38673### Impact`os.system` in fs.py can lead to command injection. The PoC is as follows:```pythonfrompaddle.distributed.fleet.utilsimportLocalFSclient=LocalFS()client.mkdirs("hi;pwd;")```### PatchesWe have patched the issue in commit [2bfe358043096fdba9e2a4cf0f5740102b37fd8f](https://github.com/PaddlePaddle/Paddle/commit/2bfe358043096fdba9e2a4cf0f5740102b37fd8f).The fix will be included in PaddlePaddle 2.5.0.### For more informationPlease consult [our security guide](../../SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.### AttributionThis vulnerability has been reported by Xiaochen Guo from Huazhong University of Science and Technology.