drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Ausführen beliebiger Kommandos in evilvte
Name: |
Ausführen beliebiger Kommandos in evilvte |
|
ID: |
201708-07 |
|
Distribution: |
Gentoo |
|
Plattformen: |
Keine Angabe |
|
Datum: |
Mo, 21. August 2017, 08:24 |
|
Referenzen: |
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854585 |
|
Applikationen: |
evilvte |
|
Originalnachricht |
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --QHxwBUGgLoMRqavU4RfCNl43sXraqfsg3 Content-Type: multipart/mixed; boundary="iwPVc6K4AHr1W8fbLseemVGQVjxbkMXvr"; protected-headers="v1" From: Thomas Deutschmann <whissi@gentoo.org> Reply-To: security@gentoo.org To: gentoo-announce@lists.gentoo.org Message-ID: <2643c345-2c88-0cff-3556-4a0adb0513db@gentoo.org> Subject: [ GLSA 201708-07 ] evilvte: User-assisted execution of arbitrary code
--iwPVc6K4AHr1W8fbLseemVGQVjxbkMXvr Content-Type: text/plain; charset=utf-8 Content-Language: en-U Content-Transfer-Encoding: quoted-printable
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201708-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal Title: evilvte: User-assisted execution of arbitrary code Date: August 21, 2017 Bugs: #611290 ID: 201708-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis ========
Improper hypertext validation might allow remote attackers to execute arbitrary code.
Background ==========
VTE based, highly customizable terminal emulator
Affected packages =================
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 x11-terms/evilvte < 0.5.1 Vulnerable! ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers.
Description ===========
Steve Kemp of Debian identified a flaw in evilvte which does not properly validate hypertext links. Please review the Debian bug report referenced below.
Impact ======
Remote attackers could execute arbitrary code by enticing a user to click a hyperlink in their terminal.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
Gentoo Security recommends that users unmerge evilvte:
# emerge --unmerge "x11-terms/evilvte"
References ==========
[ 1 ] Debian Bug #854585 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854585
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201708-07
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License =======
Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--iwPVc6K4AHr1W8fbLseemVGQVjxbkMXvr--
--QHxwBUGgLoMRqavU4RfCNl43sXraqfsg3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0
iQJ8BAEBCgBmBQJZmjOZXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzM0M1ODQ4MkM0MDIyOTJEMkUzQzVDMDY5 NzA5RjkwQzNDOTZGRkM4AAoJEJcJ+Qw8lv/IWf0QAKATWK05nYQ4s/M7T/WXrqtl AbQKX6JrkL0+Y9Ud1/WS+sLRcxAOxvsa5OJxU3Yx0JTzZjEmYndhzZp4ZHt4e+YU Lc1Vpl34IrNDpvxuGGEeRWQnd7Yd63LS+SykKEZ4coISO6ft2SenmUWNG496A2DI H05K5+Fn/rcOzO3rI/Oq4MSs/Buq9amBrc+i8P37AOHXEId9U63UwmAxZ09w4zW0 Z6nG17He1KVpAzCmY37ZBNBfrD04m4Tgow00tmX6NyezfqE3GGIaTCIN/tAq5H20 flKDUpd8sDAe4is83X17QuhgnZSwNLKpqIO9rOy1dfxH2M+pSjiUnuCiHixbKynt J5hQpRpNqBlfUnEMlhq6kuobyw41CENR06s2+yTniV8iI4tpRdWaf8DAF+5gzw0f XAtbGN1qVfeT95efAp9rQYC12hWWLxMDt5tXMDG3BPRxZ84/8JE/1FLhUw1O6VhD xd0Whwf5cq5L3ntzQ6BYzrEQ+X5fUPNW5RON44G8KLKJwDW4DcZYOoAW1w4S5Kp8 MhubYvJo+wzuLFJdOUbCRgSBYq3CiombUvrdHwkxCcQOR9jPHFoQjDnCUB/RXOht Gcby4A7bLqtdfMBTBvCni5abPHD86rd7/xmlC2pZYP0pa45rZ92+7abVxLlrG8Mx zik9xq0PPVNMDcSqqKfQ =AieX -----END PGP SIGNATURE-----
--QHxwBUGgLoMRqavU4RfCNl43sXraqfsg3--
|
|
|
|