openSUSE Security Update : ack (openSUSE-SU-2014:0142-1)

Medium Nessus Plugin ID 75410


The remote openSUSE host is missing a security update.


- update to ack 2.12: fixes potential remote code execution via per-project .ackrc files [bnc#855340] [CVE-2013-7069]

- prevents the --pager, --regex and --output options from being used from project-level ackrc files, preventing possible code execution when using ack through malicious files

- --pager, --regex and --output options may still be used from the global /etc/ackrc, your own private ~/.ackrc, the ACK_OPTIONS environment variable, and of course from the command line.

- Now ignores Eclipse .metadata directory.

- includes changes form 2.11_02 :

- upstream source mispackaging fix

- includes changes from 2.11_01

- Fixed a race condition in t/file-permission.t that was causing failures if tests were run in parallel.

- includes changes from 2.10 :

- Add --perltest for *.t files

- Added Matlab support

- More compatibility fixes for Perl 5.8.8.

- includes changes from 2.08

- ack now ignores CMake's build/cache directories by default

- Add shebang matching for --lua files

- Add documentation for --ackrc

- Add Elixir filetype

- Add --cathy option

- Add some helpful debugging tips when an invalid option is found

- Ignore PDF files by default, because Perl will detect them as text

- Ignore .gif, .jpg, .jpeg and .png files. They won't normally be selected, but this is an optimization so that ack doesn't have to open them to know

- Ack's colorizing of output would get confused with multiple sets of parentheses

- Ack would get confused when trying to colorize the output in DOS-format files

- includes changes from 2.05_01

- We now ignore the node_modules directories created by npm

- --pager without an argument implies --pager=$PAGER

- --perl now recognizes Plack-style .psgi files

- Added filetypes for Coffescript, JSON, LESS, and Sass.

- Command-line options now override options set in ackrc files

- ACK_PAGER and ACK_PAGER_COLOR now work as advertised.

- Fix a bug resulting in uninitialized variable warnings when more than one capture group was specified in the search pattern

- Make sure ack is happy to build and test under cron and other console-less environments.

- packaging changes :

- run more rests with IO::Pty

- refresh ack-ignore-osc.patch for upstream changes

- update project URL

- port changes from devel:languages:perl ack by [email protected] :

- correct metadata: licence, CPAN download, homepage

- unset forced prefix - let Perl configuration and toolchain determine the prefix/install_base which will DTRT

- bash completion is gone, remove dead code

- modified patches :

- ack-ignore-osc.patch adjust for upstream source changes


Update the affected ack packages.

See Also

Plugin Details

Severity: Medium

ID: 75410

File Name: openSUSE-2014-87.nasl

Version: $Revision: 1.1 $

Type: local

Agent: unix

Published: 2014/06/13

Modified: 2014/06/13

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:ack, p-cpe:/a:novell:opensuse:perl-App-Ack, cpe:/o:novell:opensuse:13.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 2014/01/20

Reference Information

CVE: CVE-2013-7069