openSUSE Security Update : ack (openSUSE-SU-2014:0142-1)
Medium Nessus Plugin ID 75410
SynopsisThe remote openSUSE host is missing a security update.
Description- update to ack 2.12: fixes potential remote code execution via per-project .ackrc files [bnc#855340] [CVE-2013-7069]
- prevents the --pager, --regex and --output options from being used from project-level ackrc files, preventing possible code execution when using ack through malicious files
- --pager, --regex and --output options may still be used from the global /etc/ackrc, your own private ~/.ackrc, the ACK_OPTIONS environment variable, and of course from the command line.
- Now ignores Eclipse .metadata directory.
- includes changes form 2.11_02 :
- upstream source mispackaging fix
- includes changes from 2.11_01
- Fixed a race condition in t/file-permission.t that was causing failures if tests were run in parallel.
- includes changes from 2.10 :
- Add --perltest for *.t files
- Added Matlab support
- More compatibility fixes for Perl 5.8.8.
- includes changes from 2.08
- ack now ignores CMake's build/cache directories by default
- Add shebang matching for --lua files
- Add documentation for --ackrc
- Add Elixir filetype
- Add --cathy option
- Add some helpful debugging tips when an invalid option is found
- Ignore PDF files by default, because Perl will detect them as text
- Ignore .gif, .jpg, .jpeg and .png files. They won't normally be selected, but this is an optimization so that ack doesn't have to open them to know
- Ack's colorizing of output would get confused with multiple sets of parentheses
- Ack would get confused when trying to colorize the output in DOS-format files
- includes changes from 2.05_01
- We now ignore the node_modules directories created by npm
- --pager without an argument implies --pager=$PAGER
- --perl now recognizes Plack-style .psgi files
- Added filetypes for Coffescript, JSON, LESS, and Sass.
- Command-line options now override options set in ackrc files
- ACK_PAGER and ACK_PAGER_COLOR now work as advertised.
- Fix a bug resulting in uninitialized variable warnings when more than one capture group was specified in the search pattern
- Make sure ack is happy to build and test under cron and other console-less environments.
- packaging changes :
- run more rests with IO::Pty
- refresh ack-ignore-osc.patch for upstream changes
- update project URL
- port changes from devel:languages:perl ack by [email protected] :
- correct metadata: licence, CPAN download, homepage
- unset forced prefix - let Perl configuration and toolchain determine the prefix/install_base which will DTRT
- bash completion is gone, remove dead code
- modified patches :
- ack-ignore-osc.patch adjust for upstream source changes
SolutionUpdate the affected ack packages.