Joined: 12 May 2004
|Posted: Sun Oct 16, 2011 6:26 pm Post subject: [ GLSA 201110-08 ] feh: Multiple vulnerabilities
|Gentoo Linux Security Advisory
Title: feh: Multiple vulnerabilities (GLSA 201110-08)
Exploitable: local, remote
Date: October 13, 2011
Bug(s): #325531, #354063
Multiple vulnerabilities were found in feh, the worst of which
leading to remote passive code execution.
feh is a fast, lightweight imageviewer using imlib2.
Vulnerable: < 1.12
Unaffected: >= 1.12
Architectures: All supported architectures
Multiple vulnerabilities have been discovered in feh. Please review the
CVE identifiers referenced below for details.
A malicious entity might entice a user to visit a URL using the
--wget-timestamp option, thus executing arbitrary commands via shell
metacharacters; a malicious local user could perform a symlink attack and
overwrite arbitrary files.
There is no known workaround at this time.
All feh users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/feh-1.12"