Date: Mon, 19 Nov 2012 10:57:21 +0100 From: Guido Berhoerster <guido+openwall.com@...hoerster.name> To: oss-security@...ts.openwall.com Subject: Fwd: [[Weechat-security] Security vulnerability in WeeChat 0.3.0 -> 0.3.9.1] Hi, the weechat issue below should get a CVE, it describes a shell injection vulnerability that affects weechat plugins using the hook_process function. In addtion, upstream has a bug report at https://savannah.nongnu.org/bugs/?37764 and the actual fix which is included in 0.3.9.2 is at http://git.savannah.gnu.org/gitweb/?p=weechat.git;a=commitdiff_plain;h=efb795c74fe954b9544074aafcebb1be4452b03a ----- Forwarded message from FlashCode <flashcode@...shtux.org> ----- Date: Sun, 18 Nov 2012 14:18:12 +0100 From: FlashCode <flashcode@...shtux.org> To: weechat-security@...gnu.org Message-ID: <20121118131811.GH29073@...shtux.org> Subject: [Weechat-security] Security vulnerability in WeeChat 0.3.0 -> 0.3.9.1 Hi all, A security vulnerability has been fixed in WeeChat 0.3.9.2. This problem affects all versions from 0.3.0 to 0.3.9.1. Untrusted command for function hook_process could lead to execution of commands, because of shell expansions. This problem is only caused by some scripts calling function hook_process (giving untrusted command), but the problem has been fixed in WeeChat, for maximum safety: WeeChat will not use the shell any more to execute command. If you are not using any script calling function hook_process, you are not concerned by this problem. For more info, visit the WeeChat security page: http://weechat.org/security/ -- Cordialement / Best regards Sébastien. web: flashtux.org / weechat.org mail: flashcode@...shtux.org irc: FlashCode @ irc.freenode.net xmpp: flashcode@...ber.fr ----- End forwarded message ----- -- Guido Berhoerster
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ