GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed May 28, 2014 7:26 am Post subject: [ GLSA 201405-28 ] xmonad-contrib: Arbitrary code execution |
|
|
Gentoo Linux Security Advisory
Title: xmonad-contrib: Arbitrary code execution (GLSA 201405-28)
Severity: normal
Exploitable: remote
Date: May 28, 2014
Bug(s): #478288
ID: 201405-28
Synopsis
A remote command injection vulnerability has been discovered in
xmonad-contrib.
Background
xmonad-contrib is a set of third party tiling algorithms,
configurations, and scripts for xmonad.
Affected Packages
Package: x11-wm/xmonad-contrib
Vulnerable: < 0.11.2
Unaffected: >= 0.11.2
Architectures: All supported architectures
Description
A vulnerability in the Xmonad.Hooks.DynamicLog module could allow a
malicious website with a specially crafted title to inject commands into
the title bar which would be executed when the bar is clicked.
Impact
A remote attacker could possibly execute arbitrary code with the
privileges of the process or cause a Denial of
Service condition.
Workaround
There is no known workaround at this time.
Resolution
All xmonad-contrib users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=x11-wm/xmonad-contrib-0.11.2"
|
References
CVE-2013-1436
Last edited by GLSA on Tue Jun 03, 2014 4:33 am; edited 2 times in total |
|