493872 – (CVE-2013-7069) <sys-apps/ack-2.12 : remote code execution (CVE-2013-7069)

Bug 493872 (CVE-2013-7069) - <sys-apps/ack-2.12 : remote code execution (CVE-2013-7069)

Summary: <sys-apps/ack-2.12 : remote code execution (CVE-2013-7069)

Status:	RESOLVED FIXED

Alias:	CVE-2013-7069

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	~2 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-12-10 20:04 UTC by Agostino Sarubbo
Modified:	2013-12-21 01:50 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2013-12-10 20:04:20 UTC

From ${URL} :

https://github.com/petdance/ack2/issues/399

Upstream for ack-grep fixed a security issue which could possibly lead
to a remote code execution:

2.12    Tue Dec  3 07:05:02 CST 2013
====================================
[SECURITY FIXES]
This verison of ack prevents the --pager, --regex and --output
options from being used from project-level ackrc files.  It is
possible to execute malicious code with these options, and we want
to prevent the security risk of acking through a potentially malicious
codebase, such as one downloaded from an Internet site or checked
out from a code repository.
 
The --pager, --regex and --output options may still be used from
the global /etc/ackrc, your own private ~/.ackrc, the ACK_OPTIONS
environment variable, and of course from the command line.

The relevant commit seems to be

https://github.com/petdance/ack2/commit/a9233abad71225c1cfb300c03841c723bceb0f07

(plus some adjusting the testsuite).

Reference in the Debian Bugtracker:

 http://bugs.debian.org/731848

See also https://github.com/petdance/ack2/issues/414 which contains further
restrictions to the command line options.



@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.

Comment 1 Tim Harder gentoo-dev

2013-12-10 20:17:35 UTC

> @maintainer(s): since the package has never been marked as stable, we don't
> need to stabilize it.

It has a stable version.

Arches, please stabilize:
=sys-apps/ack-2.12

Comment 2 Agostino Sarubbo gentoo-dev

2013-12-10 21:05:52 UTC

(In reply to Tim Harder from comment #1)
> > @maintainer(s): since the package has never been marked as stable, we don't
> > need to stabilize it.
> 
> It has a stable version.
Did you read the affected range version?

Comment 3 Tim Harder gentoo-dev

2013-12-10 21:09:58 UTC

(In reply to Agostino Sarubbo from comment #2)
> Did you read the affected range version?

Add that to the bug next time, per your security bug management guidelines.

Only <sys-apps/ack-2.12 is not fully accurate.

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2013-12-21 01:50:53 UTC

CVE-2013-7069 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7069):
  ack 2.00 through 2.11_02 allows remote attackers to execute arbitrary code
  via a (1) --pager, (2) --regex, or (3) --output option in a .ackrc file in a
  directory to be searched.