Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Nov 2012 10:57:21 +0100
From: Guido Berhoerster <>
Subject: Fwd: [[Weechat-security] Security vulnerability in WeeChat 0.3.0 ->]


the weechat issue below should get a CVE, it describes a shell
injection vulnerability that affects weechat plugins using the
hook_process function.
In addtion, upstream has a bug report at and the actual fix which
is included in is at;a=commitdiff_plain;h=efb795c74fe954b9544074aafcebb1be4452b03a

----- Forwarded message from FlashCode <> -----

Date: Sun, 18 Nov 2012 14:18:12 +0100
From: FlashCode <>
Message-ID: <>
Subject: [Weechat-security] Security vulnerability in WeeChat 0.3.0 ->

Hi all,

A security vulnerability has been fixed in WeeChat
This problem affects all versions from 0.3.0 to

Untrusted command for function hook_process could lead to execution of
commands, because of shell expansions.

This problem is only caused by some scripts calling function
hook_process (giving untrusted command), but the problem has been
fixed in WeeChat, for maximum safety: WeeChat will not use the shell
any more to execute command.

If you are not using any script calling function hook_process, you are
not concerned by this problem.

For more info, visit the WeeChat security page:

Cordialement / Best regards

web: /      mail:
irc: FlashCode @    xmpp:

----- End forwarded message -----

Guido Berhoerster

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ