Detections
Analytics

openSUSE Security Update : ack (openSUSE-SU-2014:0142-1)

medium Nessus Plugin ID 75410

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

- update to ack 2.12: fixes potential remote code execution via per-project .ackrc files [bnc#855340] [CVE-2013-7069]

 - prevents the --pager, --regex and --output options from being used from project-level ackrc files, preventing possible code execution when using ack through malicious files

 - --pager, --regex and --output options may still be used from the global /etc/ackrc, your own private ~/.ackrc, the ACK_OPTIONS environment variable, and of course from the command line.

 - Now ignores Eclipse .metadata directory.

 - includes changes form 2.11_02 :

 - upstream source mispackaging fix

 - includes changes from 2.11_01

 - Fixed a race condition in t/file-permission.t that was causing failures if tests were run in parallel.

 - includes changes from 2.10 :

 - Add --perltest for *.t files

 - Added Matlab support

 - More compatibility fixes for Perl 5.8.8.

 - includes changes from 2.08

 - ack now ignores CMake's build/cache directories by default

 - Add shebang matching for --lua files

 - Add documentation for --ackrc

 - Add Elixir filetype

 - Add --cathy option

 - Add some helpful debugging tips when an invalid option is found

 - Ignore PDF files by default, because Perl will detect them as text

 - Ignore .gif, .jpg, .jpeg and .png files. They won't normally be selected, but this is an optimization so that ack doesn't have to open them to know

 - Ack's colorizing of output would get confused with multiple sets of parentheses

 - Ack would get confused when trying to colorize the output in DOS-format files

 - includes changes from 2.05_01

 - We now ignore the node_modules directories created by npm

 - --pager without an argument implies --pager=$PAGER

 - --perl now recognizes Plack-style .psgi files

 - Added filetypes for Coffescript, JSON, LESS, and Sass.

 - Command-line options now override options set in ackrc files

 - ACK_PAGER and ACK_PAGER_COLOR now work as advertised.

 - Fix a bug resulting in uninitialized variable warnings when more than one capture group was specified in the search pattern

 - Make sure ack is happy to build and test under cron and other console-less environments.

 - packaging changes :

 - run more rests with IO::Pty

 - refresh ack-ignore-osc.patch for upstream changes

 - update project URL

 - port changes from devel:languages:perl ack by [email protected] :

 - correct metadata: licence, CPAN download, homepage

 - unset forced prefix - let Perl configuration and toolchain determine the prefix/install_base which will DTRT

 - bash completion is gone, remove dead code

 - modified patches :

 - ack-ignore-osc.patch adjust for upstream source changes

Solution

Update the affected ack packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=855340

https://lists.opensuse.org/opensuse-updates/2014-01/msg00094.html

Plugin Details

Severity: Medium

ID: 75410

File Name: openSUSE-2014-87.nasl

Version: 1.4

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:ack, p-cpe:/a:novell:opensuse:perl-app-ack, cpe:/o:novell:opensuse:13.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 1/20/2014

Reference Information

CVE: CVE-2013-7069