198876 – [devel/osc][security] CVE-2015-0778

Bug 198876 - [devel/osc][security] CVE-2015-0778

Summary: [devel/osc][security] CVE-2015-0778

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Dmitry Marakasov

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-03-24 18:14 UTC by Sevan Janiyan
Modified:	2015-03-31 16:26 UTC (History)
CC List:	0 users

See Also:

Flags:	bugzilla: maintainer-feedback? (amdmi3)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sevan Janiyan 2015-03-24 18:14:30 UTC

osc before 0.151.0 allows remote attackers to execute arbitrary commands via shell metacharacters in a _service file.

Comment 1 commit-hook freebsd_committer

2015-03-31 16:11:07 UTC

A commit references this bug:

Author: amdmi3
Date: Tue Mar 31 16:10:22 UTC 2015
New revision: 382847
URL: https://svnweb.freebsd.org/changeset/ports/382847

Log:
  Add vulnerability for devel/osc.

  Security:	CVE-2015-0778
  PR:		198876
  Submitted by:	venture37@geeklan.co.uk

Changes:
  head/security/vuxml/vuln.xml

Comment 2 commit-hook freebsd_committer

2015-03-31 16:26:10 UTC

A commit references this bug:

Author: amdmi3
Date: Tue Mar 31 16:25:38 UTC 2015
New revision: 382849
URL: https://svnweb.freebsd.org/changeset/ports/382849

Log:
  - Update to 0.151.2
  - Fixes CVE-2015-0778 (shell command injection via crafted _service files)

  PR:		198876
  Submitted by:	venture37@geeklan.co.uk

Changes:
  head/devel/osc/Makefile
  head/devel/osc/distinfo