Security hole in ack versions 2.00 to 2.11_02

29 views
Skip to first unread message

Andy Lester

unread,
Dec 13, 2013, 12:29:56 AM12/13/13
to ack-an...@googlegroups.com
http://beyondgrep.com/security/

Security hole in ack versions 2.00 to 2.11_02.

Please upgrade to ack 2.12 ASAP.

ack is a grep-like tool that is specifically created to make searching source code easier. One of the features added in ack 2.00 was the ability to have command line options in per-project .ackrc files. This has led to a serious security hole.

The --pager, --regex and --output options are powerful tools for users to manage the output of ack, but with carefully crafted parameters, they can be used to execute arbitrary code.

An attacker could create a .ackrc file with malicious --pager, --regex or --output options that would get used by ack. The malicious .ackrc could be put into code that a user would download and search with ack, and an unsuspecting user would then execute these options without realizing it. This malicious .ackrc could be, for example, in a source code tarball, or a checkout of a project from a code hosting site like GitHub or SourceForge.

ack 2.12 has solved this problem by disallowing the --pager, --regex or --output options in a per-project .ackrc file. They are still allowed in a global ackrc file, your own personal .ackrc file, the ACK_OPTIONS environment variable, and on the command line.

ack versions before 2.00 are not affected by this security hole.

Please see the ack installation page (http://beyondgrep.com/install) for information on how to install ack for your system.


Andy Lester => an...@petdance.com => www.petdance.com => AIM:petdance

Reply all
Reply to author
Forward
0 new messages