Epiphany: Untrusted search path — GLSA 200903-16

An untrusted search path vulnerability in Epiphany might result in the execution of arbitrary code.

Affected Packages

www-client/epiphany on all architectures
Affected versions < 2.22.3-r2
Unaffected versions >= 2.22.3-r2

Background

Epiphany is a GNOME webbrowser based on the Mozilla rendering engine Gecko.

Description

James Vega reported an untrusted search path vulnerability in the Python interface.

Impact

A local attacker could entice a user to run Epiphany from a directory containing a specially crafted python module, resulting in the execution of arbitrary code with the privileges of the user running Epiphany.

Workaround

Do not run "epiphany" from untrusted working directories.

Resolution

All Epiphany users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-client/epiphany-2.22.3-r2"

References

Release Date
March 09, 2009

Latest Revision
March 09, 2009: 01

Severity
normal

Exploitable
local

Bugzilla entries