A security flaw was found in the way tpp, a ncurses-based presentation tool, processed TPP templates containing --exec clause (input provided as an argument of the --exec clause would be immediately executed without requesting a second confirmation from the user). A remote attacker could provide a specially-crafted text presentation program (TPP) template that, when processed with the tpp binary would lead to arbitrary code execution with the privileges of the user running the tpp executable.
Relevant patch from Debian distribution (adds requirement
the user to explicitly confirm code execution is desired):
Created attachment 763691 [details]
Local copy of Debian patch from http://patch-tracker.debian.org/patch/series/view/tpp/1.3.1-3/15-optional-exec.patch
This issue affects the versions of the tpp package, as shipped with Fedora release of 17 and 18. Please schedule an update.
This issue affects the version of the tpp package, as shipped with Fedora EPEL 6. Please schedule an update.
Created tpp tracking bugs for this issue
Affects: fedora-all [bug 976686]
Affects: epel-6 [bug 976687]
GitHub patch link:
This issue was assigned the name CVE-2013-2208 as per http://seclists.org/oss-sec/2013/q2/609