This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 976684 - (CVE-2013-2208) CVE-2013-2208 tpp: Possibility of arbitrary code execution when processing untrusted TPP template
CVE-2013-2208 tpp: Possibility of arbitrary code execution when processing un...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 976686 976687
  Show dependency treegraph
Reported: 2013-06-21 03:53 EDT by Jan Lieskovsky
Modified: 2014-02-17 15:44 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)
Local copy of Debian patch from (1.85 KB, patch)
2013-06-21 03:55 EDT, Jan Lieskovsky
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2013-06-21 03:53:27 EDT
A security flaw was found in the way tpp, a ncurses-based presentation tool, processed TPP templates containing --exec clause (input provided as an argument of the --exec clause would be immediately executed without requesting a second confirmation from the user). A remote attacker could provide a specially-crafted text presentation program (TPP) template that, when processed with the tpp binary would lead to arbitrary code execution with the privileges of the user running the tpp executable.


Relevant patch from Debian distribution (adds requirement
the user to explicitly confirm code execution is desired):
Comment 1 Jan Lieskovsky 2013-06-21 03:55:07 EDT
Created attachment 763691 [details]
Local copy of Debian patch from
Comment 2 Jan Lieskovsky 2013-06-21 03:56:21 EDT
This issue affects the versions of the tpp package, as shipped with Fedora release of 17 and 18. Please schedule an update.


This issue affects the version of the tpp package, as shipped with Fedora EPEL 6. Please schedule an update.
Comment 3 Jan Lieskovsky 2013-06-21 03:57:11 EDT
Created tpp tracking bugs for this issue

Affects: fedora-all [bug 976686]
Affects: epel-6 [bug 976687]
Comment 4 Jan Lieskovsky 2013-06-21 04:05:13 EDT
GitHub patch link:
Comment 5 Jan Lieskovsky 2013-06-21 04:11:11 EDT
CVE Request:
Comment 6 Vincent Danen 2013-06-21 13:04:49 EDT
This issue was assigned the name CVE-2013-2208 as per

Note You need to log in before you can comment on or make changes to this bug.