oss-sec mailing list archives

CVE Request: ack-grep: potential remote code execution via per-project .ackrc files

From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 10 Dec 2013 14:49:25 +0100

Hi

I would like to request a CVE for the following vulnerability in
ack-grep:

 https://github.com/petdance/ack2/issues/399

Upstream for ack-grep fixed a security issue which could possibly lead
to a remote code execution:

2.12    Tue Dec  3 07:05:02 CST 2013
====================================
[SECURITY FIXES]
This verison of ack prevents the --pager, --regex and --output
options from being used from project-level ackrc files.  It is
possible to execute malicious code with these options, and we want
to prevent the security risk of acking through a potentially malicious
codebase, such as one downloaded from an Internet site or checked
out from a code repository.
 
The --pager, --regex and --output options may still be used from
the global /etc/ackrc, your own private ~/.ackrc, the ACK_OPTIONS
environment variable, and of course from the command line.

The relevant commit seems to be

https://github.com/petdance/ack2/commit/a9233abad71225c1cfb300c03841c723bceb0f07

(plus some adjusting the testsuite).

Reference in the Debian Bugtracker:

 http://bugs.debian.org/731848

See also https://github.com/petdance/ack2/issues/414 which contains further
restrictions to the command line options.

Could a CVE be assigned to this issue?

Regards,
Salvatore

Attachment: signature.asc
Description: Digital signature

Current thread:

CVE Request: ack-grep: potential remote code execution via per-project .ackrc files Salvatore Bonaccorso (Dec 10)
- Re: CVE Request: ack-grep: potential remote code execution via per-project .ackrc files Salvatore Bonaccorso (Dec 10)
- Re: CVE Request: ack-grep: potential remote code execution via per-project .ackrc files cve-assign (Dec 11)