CVE-2019-19010 - Eval injection in the Math plugin
Bug #1852859 reported by
Mattia Rizzolo
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
limnoria (Ubuntu) |
Fix Released
|
Medium
|
Mattia Rizzolo | ||
Bionic |
Fix Released
|
Medium
|
Mattia Rizzolo |
Bug Description
[ Impact ]
This is a security issue that allows a remote, unauthenticated attacker to obtain private information regarding the current process, and possibly remotely execute code.
[ Test Case ]
With this being the case of an eval() gone rouge, since the eval() has been now removed that's enough of a test case to assure the bug is fixed.
[ Regression Potential ]
limnoria contains a very comprehensive test suite, including for the Math plugin, so the regression potential is minimal.
CVE References
Changed in limnoria (Ubuntu Bionic): | |
assignee: | nobody → Mattia Rizzolo (mapreri) |
importance: | Undecided → Medium |
Changed in limnoria (Ubuntu Bionic): | |
status: | New → In Progress |
To post a comment you must log in.
Since this is a security issue, maybe the security team would be interested in it? Assigning the security team for feedback. Even though this is an universe package, getting it into -security might still be a thing worth considering.