From ${URL} : https://github.com/petdance/ack2/issues/399 Upstream for ack-grep fixed a security issue which could possibly lead to a remote code execution: 2.12 Tue Dec 3 07:05:02 CST 2013 ==================================== [SECURITY FIXES] This verison of ack prevents the --pager, --regex and --output options from being used from project-level ackrc files. It is possible to execute malicious code with these options, and we want to prevent the security risk of acking through a potentially malicious codebase, such as one downloaded from an Internet site or checked out from a code repository. The --pager, --regex and --output options may still be used from the global /etc/ackrc, your own private ~/.ackrc, the ACK_OPTIONS environment variable, and of course from the command line. The relevant commit seems to be https://github.com/petdance/ack2/commit/a9233abad71225c1cfb300c03841c723bceb0f07 (plus some adjusting the testsuite). Reference in the Debian Bugtracker: http://bugs.debian.org/731848 See also https://github.com/petdance/ack2/issues/414 which contains further restrictions to the command line options. @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
> @maintainer(s): since the package has never been marked as stable, we don't > need to stabilize it. It has a stable version. Arches, please stabilize: =sys-apps/ack-2.12
(In reply to Tim Harder from comment #1) > > @maintainer(s): since the package has never been marked as stable, we don't > > need to stabilize it. > > It has a stable version. Did you read the affected range version?
(In reply to Agostino Sarubbo from comment #2) > Did you read the affected range version? Add that to the bug next time, per your security bug management guidelines. Only <sys-apps/ack-2.12 is not fully accurate.
CVE-2013-7069 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7069): ack 2.00 through 2.11_02 allows remote attackers to execute arbitrary code via a (1) --pager, (2) --regex, or (3) --output option in a .ackrc file in a directory to be searched.