GNU ed: User-assisted execution of arbitrary code
Gentoo Linux Security Advisory
||GLSA 200809-15 / ed
||September 23, 2008
||September 23, 2008: 01
All supported architectures
A buffer overflow vulnerability in ed may allow for the remote execution of
GNU ed is a basic line editor. red is a restricted version of ed that
does not allow shell command execution.
Alfredo Ortega from Core Security Technologies reported a heap-based
buffer overflow in the strip_escapes() function when processing overly
A remote attacker could entice a user to process specially crafted
commands with ed or red, possibly resulting in the execution of
arbitrary code with the privileges of the user running the application.
There is no known workaround at this time.
All GNU ed users should upgrade to the latest version:
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/ed-1.0"