Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 197660 (CVE-2007-5837) - net-news/yarssr GUI.pm Command Injection (CVE-2007-5837)
Summary: net-news/yarssr GUI.pm Command Injection (CVE-2007-5837)
Status: RESOLVED FIXED
Alias: CVE-2007-5837
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27454/
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-10-31 16:32 UTC by Robert Buchholz (RETIRED)
Modified: 2007-11-06 04:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-10-31 16:32:56 UTC 
Secunia:
  Duncan Gilmore has discovered a vulnerability in yarssr, which can be
  exploited by malicious people to compromise a user's system.
  The vulnerability is caused due to the GUI.pm module not properly
  sanitising URLs before using them in an "exec()" statement to launch
  the browser. This can be exploited to inject and execute arbitrary commands
  with the privileges of the user running yarssr by tricking him into
  clicking on a malicious feed link.
  Successful exploitation requires that "Gnome default" URL handling is disabled.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-10-31 16:35:41 UTC 
net-news, are you taking care of this package?
Comment 2 Wulf Krueger (RETIRED) gentoo-dev 2007-11-04 21:20:38 UTC 
Yes, I've added yarssr-0.2.2-r1 with a patch that fixes the vulnerability. The vulnerable version 0.2.2 is gone. Furthermore, net-news is now in the metadata.
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-04 21:35:04 UTC 
thanks, closing without glsa then.