This queue is for tickets about the PerlSpeak CPAN distribution.

Report information
The Basics
Id:
132173
Status:
new
Priority:
Low/Low
Queue:

People
Owner:
Nobody in particular
Requestors:
juerd [...] tnx.nl
Cc:
AdminCc:

BugTracker
Severity:
(no value)
Broken in:
(no value)
Fixed in:
(no value)



Subject: Security: shell injection RCEs all over the place
Date: Wed, 18 Mar 2020 20:30:08 +0100
To: bug-PerlSpeak@rt.cpan.org
From: Juerd Waalboer <juerd@tnx.nl>
TL;DR: do not use the PerlSpeak module. The main method 'say', and several other methods, are ridden with system() calls that contain arbitrary strings, that are likely to be unsafe for use in a shell command. The use of 2-argument open() with arbitrary strings is equally unsafe. Unsafe input could come from any code that uses this module, or from the filesystem ('fileselect' method), I'm not providing patches, because the security issue is pervasive throughout the module and major rewriting will be required in any case. -- Met vriendelijke groet, // Kind regards, // Korajn salutojn, Juerd Waalboer <juerd@tnx.nl> TNX
Subject: Re: [rt.cpan.org #132173] Security: shell injection RCEs all over the place
Date: Wed, 18 Mar 2020 22:56:33 +0100
To: bug-PerlSpeak@rt.cpan.org
From: Juerd Waalboer <juerd@tnx.nl>
This vulnerability has been assigned CVE-2020-10674.


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.