When fwsnort was run as a non-root user, it opened the fwsnort.conf file from the current working directory if a configuration file was not explicitly specified. The configuration file can specify a directory to load libraries from, so this would have been an issue if running fwsnort in an attacker-controlled directory. Michael Rash has released fwsnort-1.6.4 to fix this issue: http://www.cipherdyne.org/fwsnort/download/ https://github.com/mrash/fwsnort/blob/master/ChangeLog Upstream CVE-2014-0039 fix: https://github.com/mrash/fwsnort/commit/fa977453120cc48e1654f373311f9cac468d3348
Created fwsnort tracking bugs for this issue: Affects: fedora-all [bug 1060603] Affects: epel-all [bug 1060604]
fwsnort-1.6.4-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
fwsnort-1.6.4-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
fwsnort-1.6.4-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.