Debian Bug report logs -
#496448
libui-dialog-perl: Dialog backend allows execution of arbitrary shell commands (CVE-2008-7315)
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Alejandro Garrido Mota <garridomota@gmail.com>:
Bug#496448; Package libui-dialog-perl.
(full text, mbox, link).
Acknowledgement sent to Tomaž Šolc <tomaz.solc@tablix.org>:
New Bug report received and forwarded. Copy sent to Alejandro Garrido Mota <garridomota@gmail.com>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libui-dialog-perl
Version: 1.08-1.1
Severity: important
Hi
UI::Dialog Perl module with the "dialog" backend does not properly
escape shell metacharacters in strings passed to it. This bug is a
potential security risk if these strings come from untrusted sources
since it allows execution of arbitrary shell commands.
The following program demostrates this problem:
use UI::Dialog;
my $d = new UI::Dialog( order => ['dialog']);
$d->menu( list => [ "", '`echo "Hello" > test`' ])
Best regards
Tomaz Solc
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (600, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.25
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libui-dialog-perl depends on:
ii perl 5.10.0-11 Larry Wall's Practical Extraction
libui-dialog-perl recommends no packages.
libui-dialog-perl suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Alejandro Garrido Mota <alejandro@debian.org>:
Bug#496448; Package libui-dialog-perl.
(Sun, 27 Sep 2015 19:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthijs Kooijman <matthijs@stdin.nl>:
Extra info received and forwarded to list. Copy sent to Alejandro Garrido Mota <alejandro@debian.org>.
(Sun, 27 Sep 2015 19:45:04 GMT) (full text, mbox, link).
Message #10 received at 496448@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Alejandro,
I just stumbled upon this bug in UI::Dialog with improper escaping of
shell metacharacters. I reported it upstream:
https://rt.cpan.org/Public/Bug/Display.html?id=107364review
I was going to contact the Debian security team about this issue, when I
noticed that this bug has been already reported back to Debian in 2008,
but has not seen any activity or discussion since. Given that this is
essentially a security issue, this surprises me.
I wonder if this issue is actually severe enough to warrant a CVE and
security update, so I want to contact the Debian security team. If you'd
rather contact them yourself, let me know and I'll let you handle it
instead.
Note that in the upstream report linked above, an upstream developer has
indicated he will try to work on a fix soon.
Gr.
Matthijs
[signature.asc (application/pgp-signature, inline)]
Added tag(s) security and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 08 Oct 2015 11:15:24 GMT) (full text, mbox, link).
Changed Bug title to 'libui-dialog-perl: Dialog backend allows execution of arbitrary shell commands (CVE-2008-7315)' from 'libui-dialog-perl: Dialog backend allows execution of arbitrary shell commands'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 08 Oct 2015 19:18:12 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 06 Jun 2016 17:36:50 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Mon, 10 Oct 2016 19:39:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Alejandro Garrido Mota <alejandro@debian.org>:
Bug#496448; Package libui-dialog-perl.
(Sun, 28 Oct 2018 12:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Reiner Herrmann <reiner@reiner-h.de>:
Extra info received and forwarded to list. Copy sent to Alejandro Garrido Mota <alejandro@debian.org>.
(Sun, 28 Oct 2018 12:27:03 GMT) (full text, mbox, link).
Message #25 received at 496448@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 496448 + pending
Control: tags 602089 + pending
Dear maintainer,
I've prepared an NMU for libui-dialog-perl (versioned as 1.21-0.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards.
Reiner
[signature.asc (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from Reiner Herrmann <reiner@reiner-h.de>
to 496448-submit@bugs.debian.org.
(Sun, 28 Oct 2018 12:27:03 GMT) (full text, mbox, link).
Reply sent
to Reiner Herrmann <reiner@reiner-h.de>:
You have taken responsibility.
(Tue, 30 Oct 2018 14:54:05 GMT) (full text, mbox, link).
Notification sent
to Tomaž Šolc <tomaz.solc@tablix.org>:
Bug acknowledged by developer.
(Tue, 30 Oct 2018 14:54:05 GMT) (full text, mbox, link).
Message #32 received at 496448-close@bugs.debian.org (full text, mbox, reply):
Source: libui-dialog-perl
Source-Version: 1.21-0.1
We believe that the bug you reported is fixed in the latest version of
libui-dialog-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 496448@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reiner Herrmann <reiner@reiner-h.de> (supplier of updated libui-dialog-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 27 Oct 2018 16:46:44 +0200
Source: libui-dialog-perl
Binary: libui-dialog-perl
Architecture: source
Version: 1.21-0.1
Distribution: unstable
Urgency: medium
Maintainer: Alejandro Garrido Mota <alejandro@debian.org>
Changed-By: Reiner Herrmann <reiner@reiner-h.de>
Description:
libui-dialog-perl - UI::Dialog a wrapper for various dialog applications
Closes: 496448 602089
Changes:
libui-dialog-perl (1.21-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream release.
- Fixes CVE-2008-7315 (Closes: #496448)
- Fixes version detection of newer dialog versions (Closes: #602089)
* Drop FixPod2manErrors.diff and FixSpellingAndManDescription.diff
(applied upstream).
* New (build-)dependencies: libfile-slurp-perl, libstring-shellquote-perl
Checksums-Sha1:
c09c240ceffadd4f161d1e164317f4b7892fe2ea 1982 libui-dialog-perl_1.21-0.1.dsc
d01c8e54b0a2a7285f931fec9135ada8ed2cf7e7 97110 libui-dialog-perl_1.21.orig.tar.gz
08704a3d0d6eb02eeddf6bc3408cba2ea854429d 1992 libui-dialog-perl_1.21-0.1.debian.tar.xz
2141f67e59eb865ff3f320ce7fb828e3965ae9c8 5384 libui-dialog-perl_1.21-0.1_powerpc.buildinfo
Checksums-Sha256:
b21d1869be4765cc7c26160a9928001dd8df5bdc15400c18bd8ca7827201a3ca 1982 libui-dialog-perl_1.21-0.1.dsc
5eff18e753b6ee5d692918782f6816daf55d122faeb9ae6103e4510dd06f752a 97110 libui-dialog-perl_1.21.orig.tar.gz
62d8dc2e359f59b94663ffc5a879e96d0da9f95d6fc2cd9f64db866c6abc2dc7 1992 libui-dialog-perl_1.21-0.1.debian.tar.xz
4402f1514d223a4dd10cabf8feda82a96e282b556076e9f464868a969fa6301e 5384 libui-dialog-perl_1.21-0.1_powerpc.buildinfo
Files:
fd5a11c85fb3f7d3a78b073f90a2e5a9 1982 perl extra libui-dialog-perl_1.21-0.1.dsc
886c23e447559879bee37aa16a4b1316 97110 perl extra libui-dialog-perl_1.21.orig.tar.gz
c76a1dc79e19afd7d2f381d4d1cf7a05 1992 perl extra libui-dialog-perl_1.21-0.1.debian.tar.xz
bce8cdadb0067d970792f6bbbeb38b46 5384 perl extra libui-dialog-perl_1.21-0.1_powerpc.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEWXMI+726A12MfJXdxCxY61kUkv0FAlvVquEACgkQxCxY61kU
kv0I/w/+Mwck6ltsAnUCLwrfiluhsO5Y/7ANRvMZpWt+sLoY1EuJfv3/pqERTbZw
7xoEipUNVnn2Pvuwi7RE1OFUnqe21keQJthRtPishRUGHBluBUh9odZYq3d9IQKe
c1izyvMmpHvPXJ9s3IwVFwxwGBKGs7zwaG4iYuchbOckqn+oc8ehno4X+cU/EazV
BaC9nzcDujsuo5AC9a92gDtqFCAAnruuvNsvmUyz6QwKi2DiPfUjtH4IO9T8sibS
C3q57fBYCt9XquLlfu2PMWxVes3LCTh/P6Q2nodzX5yb0wAKhZ7GaWu0clBfyxUa
BE4OEc1xd5WV5E/QBfzRHkvVblmerD1+IlDuAJL8II2sWilWHvxUUWgz/qJ4eWmC
DBgwX4gkWYe63gpjT2FDBDRRA8FN7Z9HTwdY8iTXanqCT5u9VFQtjGl51AfIjfqT
GrEyCHpXboE2Bp8+6A/daix0yhmJDFpKGA0/RugbcIwQvG38dkZbbnd427Znoe6z
W3q/ynccBx3A74+FOd8ITdTpYpvOZ0tRaq7A/wQFOx4+DKmaCHG8ai+LTbVCSgIP
w0OQoGljkgRhAjjQZq65W8lcxXwTaY5ckbDSd40V6uj8kguqUtwTLoFOvy6isDbi
2bla+JD97pn98Dj3pTOAIF4C1XbYKTZFn9TKld6bqCvt8T4yyKA=
=BiTh
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 03 Dec 2018 07:37:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:04:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon