Security hole in ack versions 2.00 to 2.11_02.

Please upgrade to ack 2.12 ASAP.

ack is a grep-like tool that is specifically created to make searching source code easier. One of the features added in ack 2.00 was the ability to have command line options in per-project .ackrc files. This has led to a serious security hole.

The --pager, --regex and --output options are powerful tools for users to manage the output of ack, but with carefully crafted parameters, they can be used to execute arbitrary code.

An attacker could create a .ackrc file with malicious --pager, --regex or --output options that would get used by ack. The malicious .ackrc could be put into code that a user would download and search with ack, and an unsuspecting user would then execute these options without realizing it. This malicious .ackrc could be, for example, in a source code tarball, or a checkout of a project from a code hosting site like GitHub or SourceForge.

ack 2.12 has solved this problem by disallowing the --pager, --regex or --output options in a per-project .ackrc file. They are still allowed in a global ackrc file, your own personal .ackrc file, the ACK_OPTIONS environment variable, and on the command line.

ack versions before 2.00 are not affected by this security hole.

Please see the ack installation page for information on how to install ack for your system.