GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sun Oct 16, 2011 6:26 pm Post subject: [ GLSA 201110-08 ] feh: Multiple vulnerabilities |
 |
|
Gentoo Linux Security Advisory
Title: feh: Multiple vulnerabilities (GLSA 201110-08)
Severity: high
Exploitable: local, remote
Date: October 13, 2011
Bug(s): #325531, #354063
ID: 201110-08
Synopsis
Multiple vulnerabilities were found in feh, the worst of which
leading to remote passive code execution.
Background
feh is a fast, lightweight imageviewer using imlib2.
Affected Packages
Package: media-gfx/feh
Vulnerable: < 1.12
Unaffected: >= 1.12
Architectures: All supported architectures
Description
Multiple vulnerabilities have been discovered in feh. Please review the
CVE identifiers referenced below for details.
Impact
A malicious entity might entice a user to visit a URL using the
--wget-timestamp option, thus executing arbitrary commands via shell
metacharacters; a malicious local user could perform a symlink attack and
overwrite arbitrary files.
Workaround
There is no known workaround at this time.
Resolution
All feh users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=media-gfx/feh-1.12"
|
References
CVE-2010-2246
CVE-2011-0702
CVE-2011-1031
Last edited by GLSA on Tue Sep 02, 2014 4:29 am; edited 2 times in total |
|
News & Announcements
