openSUSE Security Update: update for ack ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0142-1 Rating: moderate References: #855340 Cross-References: CVE-2013-7069 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: - update to ack 2.12: fixes potential remote code execution via per-project .ackrc files [bnc#855340] [CVE-2013-7069] * prevents the --pager, --regex and --output options from being used from project-level ackrc files, preventing possible code execution when using ack through malicious files * --pager, --regex and --output options may still be used from the global /etc/ackrc, your own private ~/.ackrc, the ACK_OPTIONS environment variable, and of course from the command line. * Now ignores Eclipse .metadata directory. - includes changes form 2.11_02: * upstream source mispackaging fix - includes changes from 2.11_01 * Fixed a race condition in t/file-permission.t that was causing failures if tests were run in parallel. - includes changes from 2.10: * Add --perltest for *.t files * Added Matlab support * More compatibility fixes for Perl 5.8.8. - includes changes from 2.08 * ack now ignores CMake's build/cache directories by default * Add shebang matching for --lua files * Add documentation for --ackrc * Add Elixir filetype * Add --cathy option * Add some helpful debugging tips when an invalid option is found * Ignore PDF files by default, because Perl will detect them as text * Ignore .gif, .jpg, .jpeg and .png files. They won't normally be selected, but this is an optimization so that ack doesn't have to open them to know * Ack's colorizing of output would get confused with multiple sets of parentheses * Ack would get confused when trying to colorize the output in DOS-format files - includes changes from 2.05_01 * We now ignore the node_modules directories created by npm * --pager without an argument implies --pager=$PAGER * --perl now recognizes Plack-style .psgi files * Added filetypes for Coffescript, JSON, LESS, and Sass. * Command-line options now override options set in ackrc files * ACK_PAGER and ACK_PAGER_COLOR now work as advertised. * Fix a bug resulting in uninitialized variable warnings when more than one capture group was specified in the search pattern * Make sure ack is happy to build and test under cron and other console-less environments. - packaging changes: * run more rests with IO::Pty * refresh ack-ignore-osc.patch for upstream changes * update project URL - port changes from devel:languages:perl ack by daxim@cpan.org: * correct metadata: licence, CPAN download, homepage * unset forced prefix - let Perl configuration and toolchain determine the prefix/install_base which will DTRT * bash completion is gone, remove dead code - modified patches: * ack-ignore-osc.patch adjust for upstream source changes Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-87 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (noarch): ack-2.12-3.4.1 perl-App-Ack-2.12-3.4.1 References: http://support.novell.com/security/cve/CVE-2013-7069.html https://bugzilla.novell.com/855340