From ${URL} : A security flaw was found in the way tpp, a ncurses-based presentation tool, processed TPP templates containing --exec clause (input provided as an argument of the --exec clause would be immediately executed without requesting a second confirmation from the user). A remote attacker could provide a specially-crafted text presentation program (TPP) template that, when processed with the tpp binary would lead to arbitrary code execution with the privileges of the user running the tpp executable. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706644 Relevant patch from Debian distribution (adds requirement the user to explicitly confirm code execution is desired): [2] http://patch-tracker.debian.org/patch/series/view/tpp/1.3.1-3/15-optional-exec.patch @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
app-office/tpp-1.3.1-r2 has the fix. app-office/tpp-1.3.1-r1 still in the tree (as it is stable). Arches, please mark app-office/tpp-1.3.1-r2 as stable for PPC/X86 so we may remove app-office/tpp-1.3.1-r1 from the tree.
ppc stable
x86 stable, thanks.
Badness removed from tree, waiting for glsamaker access to create glsa and close.
still not glsamaker access to finish this out :(
GLSA request filed.
This issue was resolved and addressed in GLSA 201309-19 at http://security.gentoo.org/glsa/glsa-201309-19.xml by GLSA coordinator Chris Reffett (creffett).
CVE-2013-2208 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2208): tpp 1.3.1 allows remote attackers to execute arbitrary commands via a --exec command in a TPP template file.