Summary: | app-text/sword <1.5.8-r2 shell command injection (CVE-2008-0932) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Pierre-Yves Rofes (RETIRED) <py> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | theology+disabled | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://secunia.com/advisories/29012/ | ||||||
Whiteboard: | B1 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Pierre-Yves Rofes (RETIRED)
2008-02-19 20:46:45 UTC
Created attachment 144014 [details, diff]
shell_escape for the range parameter
here's the patch, courtesy of Debian.theology herd, please bump.
bah, forgot to set status, sorry fot the bugspam. Fixed versions in CVS: 1.5.8-r2, 1.5.9-r2, 1.5.10-r2 Thx Steve for the quick fix. Arches please test and mark stable. Target keywords are: sword-1.5.8-r2.ebuild:KEYWORDS="amd64 ppc x86" You shall not make wrongful use of the functions of your program....sorry, could not resist. x86 stable amd64 done ppc stable Fixed in release snapshot. CVE-2008-0932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0932): diatheke.pl in The SWORD Project Diatheke 1.5.9 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an unspecified parameter. GLSA 200803-06 |