Date: Thu, 8 Oct 2015 14:29:30 +0200 From: Matthijs Kooijman <matthijs@...in.nl> To: oss-security@...ts.openwall.com Cc: alejandro@...ian.org, kevin@...nke.ca Subject: CVE request - perl library UI::Dialog 1.09 - shell escaping vulnerability Hi folks, can you please assign a CVE for the UI::Dialog perl library? I (re)discovered a flaw that allows arbitrary command execution when the library is given untrusted strings to show in a menu prompt. The flaw was initially reported in 2008 at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496448 but it seems this never reached upstream. I recently reported the bug upstream https://rt.cpan.org/Public/Bug/Display.html?id=107364, see that report for some additional details. Upstream has indicated to be working on a fix (see upstream bug), but no patches are available yet. Impact seems limited, I'm not aware of any well-known programs that use this library and are vulnerable (only two Debian packages depend on it, both use a UI::Dialog backend that is unaffected). Thanks, Matthijs Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.