oss-sec mailing list archives
CVE Request: ack-grep: potential remote code execution via per-project .ackrc files
From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 10 Dec 2013 14:49:25 +0100
Hi I would like to request a CVE for the following vulnerability in ack-grep: https://github.com/petdance/ack2/issues/399 Upstream for ack-grep fixed a security issue which could possibly lead to a remote code execution: 2.12 Tue Dec 3 07:05:02 CST 2013 ==================================== [SECURITY FIXES] This verison of ack prevents the --pager, --regex and --output options from being used from project-level ackrc files. It is possible to execute malicious code with these options, and we want to prevent the security risk of acking through a potentially malicious codebase, such as one downloaded from an Internet site or checked out from a code repository. The --pager, --regex and --output options may still be used from the global /etc/ackrc, your own private ~/.ackrc, the ACK_OPTIONS environment variable, and of course from the command line. The relevant commit seems to be https://github.com/petdance/ack2/commit/a9233abad71225c1cfb300c03841c723bceb0f07 (plus some adjusting the testsuite). Reference in the Debian Bugtracker: http://bugs.debian.org/731848 See also https://github.com/petdance/ack2/issues/414 which contains further restrictions to the command line options. Could a CVE be assigned to this issue? Regards, Salvatore
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE Request: ack-grep: potential remote code execution via per-project .ackrc files Salvatore Bonaccorso (Dec 10)
- Re: CVE Request: ack-grep: potential remote code execution via per-project .ackrc files Salvatore Bonaccorso (Dec 10)
- Re: CVE Request: ack-grep: potential remote code execution via per-project .ackrc files cve-assign (Dec 11)