The script "beagle-status" calls "beagle-info" giving preference to the copy that is located within the user's current working directory, rather than the original copy. An attacker can force the user to execute code, with a malicious copy of "beagle-info" located in the user's current directory. see http://xforce.iss.net/xforce/xfdb/25303 http://secunia.com/advisories/19278 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357392 Beagle has no stable ebuild.
looks like this only afects beagle 0.2.2.1 I'll look for a patch in case of beagle 0.2.3 is afected too.
well, AFAI can say : if [ -x "./beagle-info" ]; then CMD="./beagle-info" else CMD="beagle-info" fi is both in beagle-status and beagle-ping fix is trivial, but i'am not sure this is wanted by the upstream (and by you). Maybe a warn to the user ?
fixed on cvs i might look at this patch later because that fix sucks. :) Thanks guys.
