A security flaw was found in the way osc, the Python language based command line client for the openSUSE build service, displayed build logs and build status for particular build. A rogue repository server could use this flaw to modify window's title, or possibly execute arbitrary commands or overwrite files via a specially-crafted build log or build status output containing an escape sequence for a terminal emulator. References: [1] https://bugzilla.novell.com/show_bug.cgi?id=749335
CVE request: [2] http://www.openwall.com/lists/oss-security/2012/02/28/9
The CVE identifier of CVE-2012-1095 has been assigned to this issue: [3] http://www.openwall.com/lists/oss-security/2012/03/02/2
Once there is final upstream patch, please schedule updates for the versions, of the osc package, as shipped with Fedora 15, Fedora 16 and Fedora EPEL 6.
Created osc tracking bugs for this issue Affects: fedora-all [bug 799226] Affects: epel-6 [bug 799227]