A flaw was found in the way ack, a tool similar to grep, processed .ackrc files. If a local user ran ack in an attacker-controlled directory, it would lead to arbitrary code execution with the privileges of the user running ack. This issue affects versions 2.00 to 2.10 (such as the version in Fedora 19), and should be fixed in version 2.12. It does not affect versions below 2.00 (such as those in EPEL). https://github.com/petdance/ack2/issues/414 also provides further restrictions. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731848 https://github.com/petdance/ack2/issues/399 https://metacpan.org/source/PETDANCE/ack-2.12/Changes https://github.com/petdance/ack2/issues/414
CVE request: http://www.openwall.com/lists/oss-security/2013/12/10/10
Created ack tracking bugs for this issue: Affects: fedora-19 [bug 1040229]
ack-2.12-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
ack-2.12-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.