Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ack-grep: CVE-2013-7069: potential remote code execution via per-project .ackrc files

Related Vulnerabilities: CVE-2013-7069  

Source

Debian Bug report logs - #731848
ack-grep: CVE-2013-7069: potential remote code execution via per-project .ackrc files

version graph

Package: ack-grep; Maintainer for ack-grep is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for ack-grep is src:ack (PTS, buildd, popcon).

Reported by: Axel Beckert <abe@debian.org>

Date: Tue, 10 Dec 2013 12:48:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version ack-grep/2.10-1

Fixed in version ack-grep/2.12-1

Done: Axel Beckert <abe@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/petdance/ack2/issues/399

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, abe@debian.org, team@security.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#731848; Package ack-grep. (Tue, 10 Dec 2013 12:48:06 GMT) (full text, mbox, link).

Acknowledgement sent to Axel Beckert <abe@debian.org>:
New Bug report received and forwarded. Copy sent to abe@debian.org, team@security.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 10 Dec 2013 12:48:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ack-grep: potential remote code execution via per-project .ackrc files
Date: Tue, 10 Dec 2013 13:46:14 +0100
Package: ack-grep
Version: 2.10-1
Severity: grave
Tags: security upstream fixed-upstream pending
Forwarded: https://github.com/petdance/ack2/issues/399

Upstream fixed a security issue which could possibly lead to a remote
code execution.

Several options to ack take perl or shell code which will be
executed. Since ack 2.0, ack also parses per-project .ackrc files which
may e.g. come from a freshly checked out VCS repository or from a
downloaded and unpacked tar ball.

See https://github.com/petdance/ack2/issues/399 and
https://metacpan.org/source/PETDANCE/ack-2.12/Changes for details

No CVE-ID seems to be assigned so far.

Wheezy (ack-grep 1.96) and Squeeze (ack-grep 1.92) are not affected as
they don't support per-project .ackrc files.

I'm currently preparing an updated Debian package.

P.S.: See also https://github.com/petdance/ack2/issues/414 which
contains further restrictions to the mentioned commandline options and
will likely be parted of the next upstream release.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (600, 'testing'), (400, 'stable'), (110, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5-trunk-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ack-grep depends on:
ii  libfile-next-perl  1.12-1
ii  perl               5.18.1-5

ack-grep recommends no packages.

ack-grep suggests no packages.

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#731848; Package ack-grep. (Tue, 10 Dec 2013 13:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Axel Beckert <abe@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 10 Dec 2013 13:48:05 GMT) (full text, mbox, link).

Message #10 received at 731848@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>
To: oss-security@lists.openwall.com
Cc: Debian Security Team <team@security.debian.org>, Andy Lester <andy@petdance.com>, 731848@bugs.debian.org
Subject: CVE request for remote code execution in ack
Date: Tue, 10 Dec 2013 14:46:14 +0100
[Message part 1 (text/plain, inline)]
Hi,

as discussed with Salvatore Bonaccorso of the Debian Security Team
(team cc'ed), I'm herewith requesting a CVE ID for the following
security issue in ack (http://beyondgrep.com/, also known as ack-grep
in multiple distributions; upstream developer cc'ed):

* Remote code execution via options --pager, --output, and --regexp in
  per-project .ackrc files

  Details and original report: https://github.com/petdance/ack2/issues/399
  Changelog: https://metacpan.org/source/PETDANCE/ack-2.12/Changes
  Further references: http://bugs.debian.org/731848

  Affected versions: 2.00 to 2.10.
  Not affected versions: Below 2.00
  Fixed versions: 2.12 so far

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#731848; Package ack-grep. (Tue, 10 Dec 2013 14:03:07 GMT) (full text, mbox, link).

Acknowledgement sent to Axel Beckert <abe@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 10 Dec 2013 14:03:07 GMT) (full text, mbox, link).

Message #15 received at 731848@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>
To: Andy Lester <andy@petdance.com>
Cc: oss-security@lists.openwall.com, Debian Security Team <team@security.debian.org>, 731848@bugs.debian.org
Subject: Re: CVE request for remote code execution in ack
Date: Tue, 10 Dec 2013 15:00:59 +0100
Hi Andy,

Andy Lester wrote:
> On Dec 10, 2013, at 7:46 AM, Axel Beckert <abe@debian.org> wrote:
> > as discussed with Salvatore Bonaccorso of the Debian Security Team
> > (team cc'ed), I'm herewith requesting a CVE ID for the following
> > security issue in ack (http://beyondgrep.com/, also known as ack-grep
> > in multiple distributions; upstream developer cc'ed):
> 
> Is there anything you need me to do?

It would be nice if you could add the CVE-ID to the Changes file of
ack retroactively as soon as it's known so that it's part of the
Changes file in further ack releases.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#731848; Package ack-grep. (Tue, 10 Dec 2013 14:06:05 GMT) (full text, mbox, link).

Acknowledgement sent to Andy Lester <andy@petdance.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 10 Dec 2013 14:06:05 GMT) (full text, mbox, link).

Message #20 received at 731848@bugs.debian.org (full text, mbox, reply):

From: Andy Lester <andy@petdance.com>
To: Axel Beckert <abe@debian.org>
Cc: oss-security@lists.openwall.com, Debian Security Team <team@security.debian.org>, 731848@bugs.debian.org
Subject: Re: CVE request for remote code execution in ack
Date: Tue, 10 Dec 2013 08:01:31 -0600
[Message part 1 (text/plain, inline)]
On Dec 10, 2013, at 8:00 AM, Axel Beckert <abe@debian.org> wrote:

> It would be nice if you could add the CVE-ID to the Changes file of
> ack retroactively as soon as it's known so that it's part of the
> Changes file in further ack releases.


OK.  Just help me through this and I’ll do what needs to be done.  I’m glad to do whatever is necessary to help y’all.

xoa

--
Andy Lester => andy@petdance.com => www.petdance.com => AIM:petdance


[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#731848; Package ack-grep. (Tue, 10 Dec 2013 14:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to Andy Lester <andy@petdance.com>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 10 Dec 2013 14:21:05 GMT) (full text, mbox, link).

Message #25 received at 731848@bugs.debian.org (full text, mbox, reply):

From: Andy Lester <andy@petdance.com>
To: Axel Beckert <abe@debian.org>
Cc: oss-security@lists.openwall.com, Debian Security Team <team@security.debian.org>, 731848@bugs.debian.org
Subject: Re: CVE request for remote code execution in ack
Date: Tue, 10 Dec 2013 07:55:44 -0600
[Message part 1 (text/plain, inline)]
On Dec 10, 2013, at 7:46 AM, Axel Beckert <abe@debian.org> wrote:

> Hi,
> 
> as discussed with Salvatore Bonaccorso of the Debian Security Team
> (team cc'ed), I'm herewith requesting a CVE ID for the following
> security issue in ack (http://beyondgrep.com/, also known as ack-grep
> in multiple distributions; upstream developer cc'ed):

Is there anything you need me to do?

--
Andy Lester => andy@petdance.com => www.petdance.com => AIM:petdance


[Message part 2 (text/html, inline)]

Reply sent to Axel Beckert <abe@debian.org>:
You have taken responsibility. (Tue, 10 Dec 2013 21:21:11 GMT) (full text, mbox, link).

Notification sent to Axel Beckert <abe@debian.org>:
Bug acknowledged by developer. (Tue, 10 Dec 2013 21:21:11 GMT) (full text, mbox, link).

Message #30 received at 731848-close@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>
To: 731848-close@bugs.debian.org
Subject: Bug#731848: fixed in ack-grep 2.12-1
Date: Tue, 10 Dec 2013 21:19:02 +0000
Source: ack-grep
Source-Version: 2.12-1

We believe that the bug you reported is fixed in the latest version of
ack-grep, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 731848@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated ack-grep package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 10 Dec 2013 21:36:18 +0100
Source: ack-grep
Binary: ack-grep
Architecture: source all
Version: 2.12-1
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Axel Beckert <abe@debian.org>
Description: 
 ack-grep   - grep-like program specifically for large source trees
Closes: 731848
Changes: 
 ack-grep (2.12-1) unstable; urgency=high
 .
   * New upstream security fix release
     + Disables --pager,--output and --regexp in per project .ackrc files.
       Closes: #731848
     + Refresh patch app-rename.
   * Bump Standards-Version to 3.9.5 (no changes).
Checksums-Sha1: 
 424ca488691450174871e26266dbf639f891fb11 1427 ack-grep_2.12-1.dsc
 62e0871fadef0781fcfee8c4935f0206c865d88c 219614 ack-grep_2.12.orig.tar.gz
 35ea8dfbe1a4d0e5550be07198a238dd783900c3 17438 ack-grep_2.12-1.debian.tar.gz
 86cd20566b90d574cee23a37988d9a2aad7a28e0 63560 ack-grep_2.12-1_all.deb
Checksums-Sha256: 
 53176e8caa361fcaff5d694dec59de6edb0bfbdea8511992ee513d8f1f3db4d4 1427 ack-grep_2.12-1.dsc
 52f2d37bc2570d947171f10059d6ed4f0f23413849a546ca202b6e17debb7d2b 219614 ack-grep_2.12.orig.tar.gz
 bfeaa93a593580ed32d42b7b563aeeae6b3c2f17e422252abd2be55cb463cb1d 17438 ack-grep_2.12-1.debian.tar.gz
 52aace8c7b46d0fa1f006b5a23955399db6147cd29546c10c6641208670258a5 63560 ack-grep_2.12-1_all.deb
Files: 
 1ce4c4fdd2604bb57e29173e7e2645bc 1427 utils optional ack-grep_2.12-1.dsc
 11e886ab0ec72173869a82e59227ddf2 219614 utils optional ack-grep_2.12.orig.tar.gz
 95d4edd0055b26dbbf5ab0c27150d3f5 17438 utils optional ack-grep_2.12-1.debian.tar.gz
 0d3c9f3c64251a15dd3417dd8e22ddcb 63560 utils optional ack-grep_2.12-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKngJQACgkQwJ4diZWTDt4I4gCeIe2rQbtnbfuxG+UXlR/g5lmR
ErUAn3LrWgiUSWc4KzAIbwz2dg8fcm/8
=hIZH
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#731848; Package ack-grep. (Thu, 12 Dec 2013 05:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to cve-assign@mitre.org:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Thu, 12 Dec 2013 05:03:05 GMT) (full text, mbox, link).

Message #35 received at 731848@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org
To: carnil@debian.org
Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, abe@debian.org, team@security.debian.org, 731848@bugs.debian.org, andy@petdance.com
Subject: Re: CVE Request: ack-grep: potential remote code execution via per-project .ackrc files
Date: Wed, 11 Dec 2013 23:49:57 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> This verison of ack prevents the --pager, --regex and --output
> options from being used from project-level ackrc files.  It is
> possible to execute malicious code with these options

Use CVE-2013-7069.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSqT/wAAoJEKllVAevmvms2mUH+gMG97hD1ieJnU8eDSBz2jTP
ZOy+PH/QzLcaSEtFrPG7ge9SfY8sowGGpTQPPyMI08zAdWZNlPCKzi/Y0Od0tohv
dxkXwUoluY/KGvpoUD1doVGf49mGNTfP7x/KxIdYQn/0aMTOQ9uf95QA640AV3k9
kKTdUiCBs3pvQ0yT//euC0nQMEUC+cWzs6DvDtckAyGc2Dn53MLTSlL2jx3fkrvj
JM/kDaWB3yebdF0anDbrnq6lDSo+XfoTie4XQgHU+AMCopVYYXryipK2xt95DKtW
SwXZnBMjeWtcQMV1i0E5awL5GFEkA20sUMBcc/aDadQMGuBTcL9dn/lzhPvEy8E=
=7136
-----END PGP SIGNATURE-----

Changed Bug title to 'ack-grep: CVE-2013-7069: potential remote code execution via per-project .ackrc files' from 'ack-grep: potential remote code execution via per-project .ackrc files' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 12 Dec 2013 06:33:05 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 10 Jan 2014 07:31:30 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:10:10 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started