Home page logo
/

oss-sec logo oss-sec mailing list archives

Fwd: [[Weechat-security] Security vulnerability in WeeChat 0.3.0 -> 0.3.9.1]
From: Guido Berhoerster <guido+openwall.com () berhoerster name>
Date: Mon, 19 Nov 2012 10:57:21 +0100

Hi,

the weechat issue below should get a CVE, it describes a shell
injection vulnerability that affects weechat plugins using the
hook_process function.
In addtion, upstream has a bug report at
https://savannah.nongnu.org/bugs/?37764 and the actual fix which
is included in 0.3.9.2 is at
http://git.savannah.gnu.org/gitweb/?p=weechat.git;a=commitdiff_plain;h=efb795c74fe954b9544074aafcebb1be4452b03a

----- Forwarded message from FlashCode <flashcode () flashtux org> -----

Date: Sun, 18 Nov 2012 14:18:12 +0100
From: FlashCode <flashcode () flashtux org>
To: weechat-security () nongnu org
Message-ID: <20121118131811.GH29073 () flashtux org>
Subject: [Weechat-security] Security vulnerability in WeeChat 0.3.0 ->
        0.3.9.1

Hi all,

A security vulnerability has been fixed in WeeChat 0.3.9.2.
This problem affects all versions from 0.3.0 to 0.3.9.1.

Untrusted command for function hook_process could lead to execution of
commands, because of shell expansions.

This problem is only caused by some scripts calling function
hook_process (giving untrusted command), but the problem has been
fixed in WeeChat, for maximum safety: WeeChat will not use the shell
any more to execute command.

If you are not using any script calling function hook_process, you are
not concerned by this problem.

For more info, visit the WeeChat security page:
http://weechat.org/security/

--
Cordialement / Best regards
S├ębastien.

web: flashtux.org / weechat.org      mail: flashcode () flashtux org
irc: FlashCode @ irc.freenode.net    xmpp: flashcode () jabber fr



----- End forwarded message -----

-- 
Guido Berhoerster


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]