"For feh versions <= 1.7 down to at least 1.3.4, feh -G/--wget-timestamp contains a remote code execution hole when called with malicious URLs containing shell characters. The problem is that --wget-timestamp does a system() call to /bin/cp, handing it the unescaped URL. If the URL were to contain a sequence like ';something', "something" would be interpreted and executed as new shell command. Constraints: The user must use --wget-timestamp, the URL's command part may (apparently) not contain "obfuscation" like %20 for space etc., and the remote file must exist on the server. Example: Try "feh --wget-timestamp 'https://derf.homelinux.org/stuff/foo;touch lol_hax'". Result. All in all this is rather improbable, but I'd advise you anyways to update to feh 1.8 ;-)" https://derf.homelinux.org/git/feh/patch/?id=ae56ce24b10767800b1715e7e68b41c7d3571b4c
Graphics, please update to 1.8 or create an updated ebuild that backports the patch (which just removes the vulnerable function).
Test & stabilize: =media-gfx/feh-1.8
amd64 stable
Build program and rdep without any problem on x86. Loaded some images, no problems encountered. Please mark stable for x86.
BEGIN failed--compilation aborted at test/feh.t line 4. test/feh.t ..... Dubious, test returned 255 (wstat 65280, 0xff00) No subtests run test/mandoc.t .. Perl v5.10.0 required--this is only v5.8.8, stopped at test/mandoc.t line 4. BEGIN failed--compilation aborted at test/mandoc.t line 4. test/mandoc.t .. Dubious, test returned 255 (wstat 65280, 0xff00) No subtests run Please restrict tests.
(In reply to comment #5) > BEGIN failed--compilation aborted at test/feh.t line 4. > test/feh.t ..... Dubious, test returned 255 (wstat 65280, 0xff00) > No subtests run > test/mandoc.t .. Perl v5.10.0 required--this is only v5.8.8, stopped at > test/mandoc.t line 4. > BEGIN failed--compilation aborted at test/mandoc.t line 4. > test/mandoc.t .. Dubious, test returned 255 (wstat 65280, 0xff00) > No subtests run > > Please restrict tests. > 27 Jun 2010; Samuli Suominen <ssuominen@gentoo.org> feh-1.8.ebuild: Run testsuite only if perl is at least 5.10 wrt #325531 (Comment #5) by Christian Faulhammer.
stable x86, thanks Myckel
*** Bug 325855 has been marked as a duplicate of this bug. ***
alpha/sparc stable
ppc64 stable
Marked ppc stable.
glsa request filed.
CVE-2010-2246 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2246): feh before 1.8, when the --wget-timestamp option is enabled, might allow remote attackers to execute arbitrary commands via shell metacharacters in a URL.
This issue was resolved and addressed in GLSA 201110-08 at http://security.gentoo.org/glsa/glsa-201110-08.xml by GLSA coordinator Stefan Behte (craig).