Package: ack-grep Version: 2.10-1 Severity: grave Tags: security upstream fixed-upstream pending Forwarded: https://github.com/petdance/ack2/issues/399
Upstream fixed a security issue which could possibly lead to a remote code execution. Several options to ack take perl or shell code which will be executed. Since ack 2.0, ack also parses per-project .ackrc files which may e.g. come from a freshly checked out VCS repository or from a downloaded and unpacked tar ball. See https://github.com/petdance/ack2/issues/399 and https://metacpan.org/source/PETDANCE/ack-2.12/Changes for details No CVE-ID seems to be assigned so far. Wheezy (ack-grep 1.96) and Squeeze (ack-grep 1.92) are not affected as they don't support per-project .ackrc files. I'm currently preparing an updated Debian package. P.S.: See also https://github.com/petdance/ack2/issues/414 which contains further restrictions to the mentioned commandline options and will likely be parted of the next upstream release. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (990, 'unstable'), (600, 'testing'), (400, 'stable'), (110, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.5-trunk-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ack-grep depends on: ii libfile-next-perl 1.12-1 ii perl 5.18.1-5 ack-grep recommends no packages. ack-grep suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
