Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 474018 (CVE-2013-2208) - <app-office/tpp-1.3.1-r2 : Possibility of arbitrary code execution when processing untrusted TPP template (CVE-2013-2208)
Summary: <app-office/tpp-1.3.1-r2 : Possibility of arbitrary code execution when proce...
Alias: CVE-2013-2208
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2013-06-21 09:16 UTC by Agostino Sarubbo
Modified: 2013-11-05 02:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-06-21 09:16:51 UTC
From ${URL} :

A security flaw was found in the way tpp, a ncurses-based presentation tool, processed TPP templates containing --exec clause (input provided as an 
argument of the --exec clause would be immediately executed without requesting a second confirmation from the user). A remote attacker could provide 
a specially-crafted text presentation program (TPP) template that, when processed with the tpp binary would lead to arbitrary code execution with the 
privileges of the user running the tpp executable.


Relevant patch from Debian distribution (adds requirement
the user to explicitly confirm code execution is desired):

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-21 14:28:06 UTC
app-office/tpp-1.3.1-r2 has the fix.
app-office/tpp-1.3.1-r1 still in the tree (as it is stable).

Arches, please mark app-office/tpp-1.3.1-r2 as stable for PPC/X86 so we may remove app-office/tpp-1.3.1-r1 from the tree.
Comment 2 Agostino Sarubbo gentoo-dev 2013-06-24 16:52:09 UTC
ppc stable
Comment 3 Andreas Schürch gentoo-dev 2013-06-26 08:35:22 UTC
x86 stable, thanks.
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-26 14:57:34 UTC
Badness removed from tree, waiting for glsamaker access to create glsa and close.
Comment 5 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2013-06-30 23:01:13 UTC
still not glsamaker access to finish this out :(
Comment 6 Chris Reffett gentoo-dev Security 2013-08-23 15:06:54 UTC
GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-09-25 17:25:37 UTC
This issue was resolved and addressed in
 GLSA 201309-19 at
by GLSA coordinator Chris Reffett (creffett).
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-11-05 02:40:03 UTC
CVE-2013-2208 (
  tpp 1.3.1 allows remote attackers to execute arbitrary commands via a --exec
  command in a TPP template file.