-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joxean Koret schrieb: > Subject: eric: Arbitrary code execution > Package: eric > Version: 3.6.2-1 > Severity: grave > Justification: user security hole > > The ERIC IDE uses in the project files the python syntax for various > configurable params as, in example, to generate the project > documentation. Well, due to the usage of python source in the project > file a malicious user can create a malicious project file that will > execute arbitrary code when trying to generate the project > documentation. > > I contact the Eric project author and a fix for the issue was released. > > Attached goes a working exploit. > > Regards, > Joxean Koret >
Hi, I've backported the fix from 3.7.2 and contacted Debian Security. greetings Torsten - -- Torsten Marek <[EMAIL PROTECTED]> ID: A244C858 -- FP: 1902 0002 5DFC 856B F146 894C 7CC5 451E A244 C858 Keyserver: subkeys.pgp.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDPpX1fMVFHqJEyFgRAgHEAJ94hK/VFTA5Yf5ieam99PzmKWc5/QCdEOK1 fs6TZ+52NmVFqcKTBxJBdqg= =ZIc2 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
