Quoting from $URL:
"The 2010.08.05 release comes with a patched config file.
With shell code in hyperlinks on a page, one of the sample (uzbl-core) resp. default (uzbl-browser) button bindings (binding for mousebutton2) would execute this code."
"Note that just upgrading your uzbl is not enough. If you have an existing config, the change will not be automatically applied.
So be sure you have this change in your config."
More info here: http://www.uzbl.org/bugs/index.php?do=details&task_id=240
I'll commit =www-client/uzbl-2010.08.05 which includes the config fix and ewarns with instructions for current users.
Arches, please test and mark stable:
Target keywords : "amd64 x86"
All good x86.
Builds and runs fine on x86. Please mark stable for x86.
x86 stable, thanks David and Myckel
The default configuration of the <Button2> binding in Uzbl before
2010.08.05 does not properly use the @SELECTED_URI feature, which
allows user-assisted remote attackers to execute arbitrary commands
via a crafted HREF attribute of an A element in an HTML document.
(Kéwan: Note: This bug has been handled, no maintainer actions are needed here.)
This issue was resolved and addressed in
GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).