Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 467262 (CVE-2013-2012) - <app-shells/autojump-21.3.0-r1: autojump profile will load random stuff from a directory called custom_install (CVE-2013-2012)
Summary: <app-shells/autojump-21.3.0-r1: autojump profile will load random stuff from ...
Status: RESOLVED FIXED
Alias: CVE-2013-2012
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-25 19:31 UTC by Agostino Sarubbo
Modified: 2013-05-10 17:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-25 19:31:07 UTC
From ${URL} :

  a security flaw was found in the way autojump, a tool for faster filesystem
navigation from the command line, used to honour content of custom_install
directory when global and local autojump installations were not found,
and $SHELL variable was unset or set to different value than bash or zsh.
If an unsuspecting autojump user was tricked into running autojump script
from the directory a local attacker has write access to, this flaw could be
used for arbitrary (Python) code execution with the privileges of the user
running the autojump binary / script.

Relevant (final) upstream patches are as follows:
[1] https://github.com/joelthelion/autojump/commit/ad09ee27d402be797b3456abff6edeb4291edfec
[2] https://github.com/joelthelion/autojump/commit/c763b2afadb188ab52849c21d43d2e8fe5b8800a

References:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=950777



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not
Comment 1 Michael Weber (RETIRED) gentoo-dev 2013-05-04 10:43:39 UTC
+*autojump-21.3.0-r1 (04 May 2013)
+
+  04 May 2013; Michael Weber <xmw@gentoo.org> +autojump-21.3.0-r1.ebuild,
+  +files/autojump-21.3.0-supported-shells.patch, -autojump-21.3.0.ebuild:
+  Drop old, fix infinity loop sourcing shell=sh (thanks Kamil Kuduk, bug
+  446312), prefix support (thanks Leho Kraav, bug 465226), fix security issue
+  (bug 467262).
+
Comment 2 Sean Amoss gentoo-dev Security 2013-05-10 17:20:50 UTC
Closing noglsa for ~arch only.