oss-sec mailing list archives
Re: Fwd: [[Weechat-security] Security vulnerability in WeeChat 0.3.0 -> 0.3.9.1]
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 19 Nov 2012 09:58:26 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/19/2012 02:57 AM, Guido Berhoerster wrote:
Hi, the weechat issue below should get a CVE, it describes a shell injection vulnerability that affects weechat plugins using the hook_process function. In addtion, upstream has a bug report at https://savannah.nongnu.org/bugs/?37764 and the actual fix which is included in 0.3.9.2 is at http://git.savannah.gnu.org/gitweb/?p=weechat.git;a=commitdiff_plain;h=efb795c74fe954b9544074aafcebb1be4452b03a ----- Forwarded message from FlashCode <flashcode () flashtux org> ----- Date: Sun, 18 Nov 2012 14:18:12 +0100 From: FlashCode <flashcode () flashtux org> To: weechat-security () nongnu org Message-ID: <20121118131811.GH29073 () flashtux org> Subject: [Weechat-security] Security vulnerability in WeeChat 0.3.0 -> 0.3.9.1 Hi all, A security vulnerability has been fixed in WeeChat 0.3.9.2. This problem affects all versions from 0.3.0 to 0.3.9.1. Untrusted command for function hook_process could lead to execution of commands, because of shell expansions. This problem is only caused by some scripts calling function hook_process (giving untrusted command), but the problem has been fixed in WeeChat, for maximum safety: WeeChat will not use the shell any more to execute command. If you are not using any script calling function hook_process, you are not concerned by this problem. For more info, visit the WeeChat security page: http://weechat.org/security/
Please use CVE-2012-5534 for this issue.
-- Cordialement / Best regards Sébastien. web: flashtux.org / weechat.org mail: flashcode () flashtux org irc: FlashCode @ irc.freenode.net xmpp: flashcode () jabber fr ----- End forwarded message -----
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQqmUyAAoJEBYNRVNeJnmT5vkP/0n0l7PEqOerIjZqWb9UQeA0 GBtgn2bhvaRXipOaxp7t1t/PhGdl8q+s0YM9Iw5FDQfNvhFPXcq8IVA3z32VQUsB ZvZc7pgi1/+EBiz0BpCvSokCO8ptdY171Ujoxbe1hRyoHoS2PAL7/y5CQTRYa/51 U2XDd5aQomOwMY9keY131VNHyCWtDvtEVpN4NwMR6IV2RKPFAwsz7I5aQCdJU2Lk PTSeZWjhchyn7HCKmYzuuYYF683/Buc1kxkFTAyIb6+TLV3wiiHbayJKpVUmjQrM wof6yIjjuOi/E++a8ds2XRsUcaDI/Os3wLW3YE1kxlqYiEn9ec1CVRLDRgdBAfsV /niVwy6A8EgCnmnEXlNt8fDs7zsbOUVLxHGBaaeO8lua/PPCJRldoJX0D1aD62AK YcAQCz6pIWNXWETR9UC0wbH1nLfp7UCEalWspzm+2IrYyQh8rm+R84zNMcnp/ya6 053VynxFSD9pwDUAKZbSg5Wtw9oya1U6d+Ggvse7rL3HZPmD8unsRzjsVFMoerKr nNfqavfXCaolnhRhy4f1dFNbJQMAkgjFm9kL1i2pMYNEua0vDjRPqVaqIA4Rcj1Q gyzqb6KQaMnje2b+bh5RM6DgRWEt8pWBiPhhuapofZuRSm4n/OiA56uXMtbgXS5B 9h5JSRib4sGnQAK3l06I =UuE2 -----END PGP SIGNATURE-----
Current thread:
- Fwd: [[Weechat-security] Security vulnerability in WeeChat 0.3.0 -> 0.3.9.1] Guido Berhoerster (Nov 19)
- Re: Fwd: [[Weechat-security] Security vulnerability in WeeChat 0.3.0 -> 0.3.9.1] Kurt Seifried (Nov 19)