[Secure-testing-team] Bug#881097: libnet-ping-external-perl: long-standing command injection via crafted arguments
Simon McVittie
smcv at debian.org
Tue Nov 7 18:02:22 UTC 2017
Package: libnet-ping-external-perl
Version: 0.13-1
Severity: grave
Tags: security patch upstream
Justification: user security hole
Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=33230
See forwarded message below. The reporter's proposed patch is also
attached.
The proposed patch seems to pretend to be a new upstream release, which
seems weird to me, but it isn't my patch.
For what it's worth, dak says nothing in unstable depends on this
package; so perhaps it's time to remove it from Debian.
smcv
----- Forwarded message from Matthias Weckbecker <matthias weckbecker name> -----
Date: Tue, 7 Nov 2017 17:51:27 +0100
From: Matthias Weckbecker <matthias weckbecker name>
To: oss-security at lists.openwall.com
Subject: [oss-security] Net::Ping::External command injections
Message-ID: <20171107165127.GA1693 at weckbecker.name>
Hi,
Net::Ping::External [0] is prone to command injection vulnerabilities.
The issues are roughly 10 (!) years old [1], but the code is still being
shipped these days (e.g. in ubuntu artful and debian stretch [2]).
I had contacted the author of the code a few days ago, but obviously did
not get any reaction.
A patch is available here:
http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patch
Maybe time to just patch it downstream? Or drop this pkg. altogether?
Thanks,
Matthias
--
[0] https://metacpan.org/pod/Net::Ping::External
[1] https://rt.cpan.org/Public/Dist/Display.html?Name=Net-Ping-External
(id #33230)
[2] https://packages.debian.org/stable/perl/libnet-ping-external-perl \
https://launchpad.net/ubuntu/+source/libnet-ping-external-perl
----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: net-ping-external-cmd-injection.patch
Type: text/x-diff
Size: 4870 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20171107/0a7f9569/attachment.patch>
More information about the Secure-testing-team
mailing list