From ${URL} : Tim Waugh from Red Hat has reported the below issue: The wordexp() function will perform command substitution even when explicitly told not to, when expanding "$((`...`))". ... #include <wordexp.h> int main (void) { wordexp_t we; return wordexp ("$((1`touch /tmp/x`))", &we, WRDE_NOCMD); } This can allow a local authenticated attacker to execute arbitrary commands with the credentials of a process calling wordexp() on an attacker-supplied data. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-7817 and thus common knowledge, please add the patch shown in https://sourceware.org/ml/libc-alpha/2014-11/msg00519.html until a new upstream release is around.
CVE-2014-7817 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7817): The wordexp function in GNU C Library (aka glibc) 2.21 does not enforce the WRDE_NOCMD flag, which allows context-dependent attackers to execute arbitrary commands, as demonstrated by input containing "$((`...`))".
fix is also in glibc-2.20-r2 now
This issue was resolved and addressed in GLSA 201602-02 at https://security.gentoo.org/glsa/201602-02 by GLSA coordinator Tobias Heinlein (keytoaster).