Joined: 12 May 2004
|Posted: Wed May 28, 2014 7:26 am Post subject: [ GLSA 201405-28 ] xmonad-contrib: Arbitrary code execution
|Gentoo Linux Security Advisory
Title: xmonad-contrib: Arbitrary code execution (GLSA 201405-28)
Date: May 28, 2014
A remote command injection vulnerability has been discovered in
xmonad-contrib is a set of third party tiling algorithms,
configurations, and scripts for xmonad.
Vulnerable: < 0.11.2
Unaffected: >= 0.11.2
Architectures: All supported architectures
A vulnerability in the Xmonad.Hooks.DynamicLog module could allow a
malicious website with a specially crafted title to inject commands into
the title bar which would be executed when the bar is clicked.
A remote attacker could possibly execute arbitrary code with the
privileges of the process or cause a Denial of
There is no known workaround at this time.
All xmonad-contrib users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=x11-wm/xmonad-contrib-0.11.2"
Last edited by GLSA on Tue Jun 03, 2014 4:33 am; edited 2 times in total