Summary: | <media-gfx/feh-1.8: Remote passive compromise (CVE-2010-2246) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | graphics+disabled, lilwyrm |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://derf.homelinux.org/interblag/entry/code-execution-hole-in-feh-wget-timestamp.xhtml | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-06-25 16:54:40 UTC
Graphics, please update to 1.8 or create an updated ebuild that backports the patch (which just removes the vulnerable function). Test & stabilize: =media-gfx/feh-1.8 amd64 stable Build program and rdep without any problem on x86. Loaded some images, no problems encountered. Please mark stable for x86. BEGIN failed--compilation aborted at test/feh.t line 4. test/feh.t ..... Dubious, test returned 255 (wstat 65280, 0xff00) No subtests run test/mandoc.t .. Perl v5.10.0 required--this is only v5.8.8, stopped at test/mandoc.t line 4. BEGIN failed--compilation aborted at test/mandoc.t line 4. test/mandoc.t .. Dubious, test returned 255 (wstat 65280, 0xff00) No subtests run Please restrict tests. (In reply to comment #5) > BEGIN failed--compilation aborted at test/feh.t line 4. > test/feh.t ..... Dubious, test returned 255 (wstat 65280, 0xff00) > No subtests run > test/mandoc.t .. Perl v5.10.0 required--this is only v5.8.8, stopped at > test/mandoc.t line 4. > BEGIN failed--compilation aborted at test/mandoc.t line 4. > test/mandoc.t .. Dubious, test returned 255 (wstat 65280, 0xff00) > No subtests run > > Please restrict tests. > 27 Jun 2010; Samuli Suominen <ssuominen@gentoo.org> feh-1.8.ebuild: Run testsuite only if perl is at least 5.10 wrt #325531 (Comment #5) by Christian Faulhammer. stable x86, thanks Myckel *** Bug 325855 has been marked as a duplicate of this bug. *** alpha/sparc stable ppc64 stable Marked ppc stable. glsa request filed. CVE-2010-2246 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2246): feh before 1.8, when the --wget-timestamp option is enabled, might allow remote attackers to execute arbitrary commands via shell metacharacters in a URL. This issue was resolved and addressed in GLSA 201110-08 at http://security.gentoo.org/glsa/glsa-201110-08.xml by GLSA coordinator Stefan Behte (craig). |