Your message dated Tue, 10 Dec 2013 21:19:02 +0000 with message-id <e1vquhq-000798...@franck.debian.org> and subject line Bug#731848: fixed in ack-grep 2.12-1 has caused the Debian Bug report #731848, regarding ack-grep: potential remote code execution via per-project .ackrc files to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 731848: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731848 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ack-grep Version: 2.10-1 Severity: grave Tags: security upstream fixed-upstream pending Forwarded: https://github.com/petdance/ack2/issues/399 Upstream fixed a security issue which could possibly lead to a remote code execution. Several options to ack take perl or shell code which will be executed. Since ack 2.0, ack also parses per-project .ackrc files which may e.g. come from a freshly checked out VCS repository or from a downloaded and unpacked tar ball. See https://github.com/petdance/ack2/issues/399 and https://metacpan.org/source/PETDANCE/ack-2.12/Changes for details No CVE-ID seems to be assigned so far. Wheezy (ack-grep 1.96) and Squeeze (ack-grep 1.92) are not affected as they don't support per-project .ackrc files. I'm currently preparing an updated Debian package. P.S.: See also https://github.com/petdance/ack2/issues/414 which contains further restrictions to the mentioned commandline options and will likely be parted of the next upstream release. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (990, 'unstable'), (600, 'testing'), (400, 'stable'), (110, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.5-trunk-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ack-grep depends on: ii libfile-next-perl 1.12-1 ii perl 5.18.1-5 ack-grep recommends no packages. ack-grep suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: ack-grep Source-Version: 2.12-1 We believe that the bug you reported is fixed in the latest version of ack-grep, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 731...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Axel Beckert <a...@debian.org> (supplier of updated ack-grep package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 10 Dec 2013 21:36:18 +0100 Source: ack-grep Binary: ack-grep Architecture: source all Version: 2.12-1 Distribution: unstable Urgency: high Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org> Changed-By: Axel Beckert <a...@debian.org> Description: ack-grep - grep-like program specifically for large source trees Closes: 731848 Changes: ack-grep (2.12-1) unstable; urgency=high . * New upstream security fix release + Disables --pager,--output and --regexp in per project .ackrc files. Closes: #731848 + Refresh patch app-rename. * Bump Standards-Version to 3.9.5 (no changes). Checksums-Sha1: 424ca488691450174871e26266dbf639f891fb11 1427 ack-grep_2.12-1.dsc 62e0871fadef0781fcfee8c4935f0206c865d88c 219614 ack-grep_2.12.orig.tar.gz 35ea8dfbe1a4d0e5550be07198a238dd783900c3 17438 ack-grep_2.12-1.debian.tar.gz 86cd20566b90d574cee23a37988d9a2aad7a28e0 63560 ack-grep_2.12-1_all.deb Checksums-Sha256: 53176e8caa361fcaff5d694dec59de6edb0bfbdea8511992ee513d8f1f3db4d4 1427 ack-grep_2.12-1.dsc 52f2d37bc2570d947171f10059d6ed4f0f23413849a546ca202b6e17debb7d2b 219614 ack-grep_2.12.orig.tar.gz bfeaa93a593580ed32d42b7b563aeeae6b3c2f17e422252abd2be55cb463cb1d 17438 ack-grep_2.12-1.debian.tar.gz 52aace8c7b46d0fa1f006b5a23955399db6147cd29546c10c6641208670258a5 63560 ack-grep_2.12-1_all.deb Files: 1ce4c4fdd2604bb57e29173e7e2645bc 1427 utils optional ack-grep_2.12-1.dsc 11e886ab0ec72173869a82e59227ddf2 219614 utils optional ack-grep_2.12.orig.tar.gz 95d4edd0055b26dbbf5ab0c27150d3f5 17438 utils optional ack-grep_2.12-1.debian.tar.gz 0d3c9f3c64251a15dd3417dd8e22ddcb 63560 utils optional ack-grep_2.12-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iEYEARECAAYFAlKngJQACgkQwJ4diZWTDt4I4gCeIe2rQbtnbfuxG+UXlR/g5lmR ErUAn3LrWgiUSWc4KzAIbwz2dg8fcm/8 =hIZH -----END PGP SIGNATURE-----
--- End Message ---
