Skip to content. | Skip to navigation

Sections
Personal tools
You are here: Home News m4 security advisore
 

m4 security advisore

— filed under:

The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename. Unspecified vulnerability in GNU m4 before 1.4.11 might allow context-dependent attackers to execute arbitrary code, related to improper handling of filenames specified with the -F option. NOTE: it is not clear when this issue crosses privilege boundaries.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1687

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1688

New m4 package is available in the testing repository.

Document Actions