855340 – (CVE-2013-7069) VUL-0: CVE-2013-7069: ack: potential remote code execution via per-project .ackrc files

Bug 855340 (CVE-2013-7069) - VUL-0: CVE-2013-7069: ack: potential remote code execution via per-project .ackrc files

Summary: VUL-0: CVE-2013-7069: ack: potential remote code execution via per-project .a...

Status:	RESOLVED FIXED

Alias:	CVE-2013-7069

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Andreas Stieger
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-12-13 11:11 UTC by Alexander Bergmann
Modified:	2015-02-18 23:02 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2013-12-13 11:11:57 UTC

Public via bugs.debian.org:

Package: ack-grep
Version: 2.10-1
Severity: grave
Tags: security upstream fixed-upstream pending
Forwarded: https://github.com/petdance/ack2/issues/399

Upstream fixed a security issue which could possibly lead to a remote
code execution.

Several options to ack take perl or shell code which will be
executed. Since ack 2.0, ack also parses per-project .ackrc files which
may e.g. come from a freshly checked out VCS repository or from a
downloaded and unpacked tar ball.

CVE-2013-7069 was assigned to this issue.

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731848
https://bugzilla.redhat.com/show_bug.cgi?id=1040228

Comment 1 Swamp Workflow Management 2013-12-13 23:00:47 UTC

bugbot adjusting priority

Comment 2 Sebastian Krahmer 2013-12-16 10:13:47 UTC

FWIW, our package-name for ack-grep is just 'ack'.

Comment 3 Thomas Biege 2014-01-09 15:55:33 UTC

CVE-2013-7069: CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P): Code Injection (CWE-94)

Comment 4 Andreas Stieger 2014-01-17 23:06:51 UTC

openSUSE 13.1 ack 2.04 affected.
openSUSE 12.3 ack 1.96 not affected.
openSUSE 12.2 ack 1.96 not affected.
SLE would therefore not be affected.
Fixing where applicable.

Comment 5 Andreas Stieger 2014-01-17 23:28:49 UTC

SR to utilities: https://build.opensuse.org/request/show/214309
MR for 13.1: https://build.opensuse.org/request/show/214312
Please review.

Comment 6 Bernhard Wiedemann 2014-01-19 01:00:54 UTC

This is an autogenerated message for OBS integration:
This bug (855340) was mentioned in
https://build.opensuse.org/request/show/214382 Factory / ack

Comment 7 Andreas Stieger 2014-01-20 19:22:59 UTC

Maintenance 2500 running.

Comment 8 Sebastian Krahmer 2014-01-28 11:41:55 UTC

released

Comment 9 Swamp Workflow Management 2014-01-28 12:04:30 UTC

openSUSE-SU-2014:0142-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 855340
CVE References: CVE-2013-7069
Sources used:
openSUSE 13.1 (src):    ack-2.12-3.4.1