Security hole in ack versions 2.00 to 2.11_02

Skip to first unread message

Andy Lester

Dec 13, 2013, 12:29:56 AM12/13/13

Security hole in ack versions 2.00 to 2.11_02.

Please upgrade to ack 2.12 ASAP.

ack is a grep-like tool that is specifically created to make searching source code easier. One of the features added in ack 2.00 was the ability to have command line options in per-project .ackrc files. This has led to a serious security hole.

The --pager, --regex and --output options are powerful tools for users to manage the output of ack, but with carefully crafted parameters, they can be used to execute arbitrary code.

An attacker could create a .ackrc file with malicious --pager, --regex or --output options that would get used by ack. The malicious .ackrc could be put into code that a user would download and search with ack, and an unsuspecting user would then execute these options without realizing it. This malicious .ackrc could be, for example, in a source code tarball, or a checkout of a project from a code hosting site like GitHub or SourceForge.

ack 2.12 has solved this problem by disallowing the --pager, --regex or --output options in a per-project .ackrc file. They are still allowed in a global ackrc file, your own personal .ackrc file, the ACK_OPTIONS environment variable, and on the command line.

ack versions before 2.00 are not affected by this security hole.

Please see the ack installation page ( for information on how to install ack for your system.

Andy Lester => => => AIM:petdance

Reply all
Reply to author
0 new messages