Bug#731848: ack-grep: potential remote code execution via per-project .ackrc files
Axel Beckert
abe at debian.org
Tue Dec 10 12:46:14 UTC 2013
Package: ack-grep
Version: 2.10-1
Severity: grave
Tags: security upstream fixed-upstream pending
Forwarded: https://github.com/petdance/ack2/issues/399
Upstream fixed a security issue which could possibly lead to a remote
code execution.
Several options to ack take perl or shell code which will be
executed. Since ack 2.0, ack also parses per-project .ackrc files which
may e.g. come from a freshly checked out VCS repository or from a
downloaded and unpacked tar ball.
See https://github.com/petdance/ack2/issues/399 and
https://metacpan.org/source/PETDANCE/ack-2.12/Changes for details
No CVE-ID seems to be assigned so far.
Wheezy (ack-grep 1.96) and Squeeze (ack-grep 1.92) are not affected as
they don't support per-project .ackrc files.
I'm currently preparing an updated Debian package.
P.S.: See also https://github.com/petdance/ack2/issues/414 which
contains further restrictions to the mentioned commandline options and
will likely be parted of the next upstream release.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (600, 'testing'), (400, 'stable'), (110, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.5-trunk-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ack-grep depends on:
ii libfile-next-perl 1.12-1
ii perl 5.18.1-5
ack-grep recommends no packages.
ack-grep suggests no packages.
-- no debconf information
More information about the pkg-perl-maintainers
mailing list