Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 534540 (CVE-2014-2886)

Summary: x11-libs/gksu: Improper sanitization of user-supplied input (CVE-2014-2886)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome, mgorny, treecleaner
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=425156
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 425156    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 22:37:33 UTC 
CVE-2014-2886 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2886):
  GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters
  in a gksu-run-helper argument, which allows attackers to execute arbitrary
  commands in certain situations involving an untrusted substring within this
  argument, as demonstrated by an untrusted filename encountered during
  installation of a VirtualBox extension pack.
Comment 1 Michael Boyle 2017-06-16 03:13:21 UTC 
@maintainers is this stable? Can we send to glsa?

Mike
Gentoo Security Padawan
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-12-11 13:59:43 UTC 
Package is removed wrt #425156.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-12-11 17:31:15 UTC 
Removal GLSA opened.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2018-12-30 21:19:59 UTC 
This issue was resolved and addressed in
 GLSA 201812-10 at https://security.gentoo.org/glsa/201812-10
by GLSA coordinator Thomas Deutschmann (whissi).