Debian Bug report logs -
#900942
CVE-2018-9246
Reported by: "Robert J. Clay" <rjclay@gmail.com>
Date: Thu, 7 Jun 2018 03:15:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version libpgobject-util-dbadmin-perl/0.100.0-1
Fixed in version libpgobject-util-dbadmin-perl/0.130.1-1
Done: Robert James Clay <jame@rocasa.us>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#900942; Package src:libpgobject-util-dbadmin-perl.
(Thu, 07 Jun 2018 03:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Robert J. Clay" <rjclay@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>.
(Thu, 07 Jun 2018 03:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libpgobject-util-dbadmin-perl
Severity: grave
Tags: security
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9246
---------- Forwarded message ---------
From: Erik Huelsmann <ehuels@gmail.com>
Date: Wed, Jun 6, 2018 at 6:36 PM
Subject: [ledgersmb-announce] Security announcement for CVE-2018-9246
/ PGObject::Util::DBAdmin
To: <announce@lists.ledgersmb.org>
This mail is sent to this mailing list because PGObject::Util::DBAdmin
itself doesn't have a mailing list to send the disclosure to. We'll
update its repository to reflect the announcement below.
Please take note of the security advisory below, known as CVE-2018-9246
Nick Prater discovered that the PGObject::Util::DBAdmin insufficiently
sanitizes or escapes variable values used as part of shell command
execution, resulting in shell code injection.
The vulnerability allows an attacker to execute arbitrary code with the
same privileges as the running application through the create(), run_file(),
backup() and restore() functions.
Affected versions:
PGObject::Util::DBAdmin versions 0.110.0 and lower.
Vulnerability type:
Insufficiently sanitized arguments in external program invocation
Discoverer:
Nick Prater (NP Broadcast LTD)
Resolution:
Upgrade to PGObject::Util::DBAdmin 0.120.0 or newer. (0.130.0
available on CPAN).
Changed Bug title to 'CVE-2018-9246' from 'Fwd: [ledgersmb-announce] Security announcement for CVE-2018-9246 / PGObject::Util::DBAdmin'.
Request was from "Robert J. Clay" <rjclay@gmail.com>
to control@bugs.debian.org.
(Thu, 07 Jun 2018 03:45:06 GMT) (full text, mbox, link).
Marked as found in versions libpgobject-util-dbadmin-perl/0.100.0-1.
Request was from "Robert J. Clay" <rjclay@gmail.com>
to control@bugs.debian.org.
(Thu, 07 Jun 2018 04:00:03 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 07 Jun 2018 04:24:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from gregor herrmann <gregoa@debian.org>
to control@bugs.debian.org.
(Thu, 07 Jun 2018 06:39:02 GMT) (full text, mbox, link).
Reply sent
to Robert James Clay <jame@rocasa.us>:
You have taken responsibility.
(Thu, 07 Jun 2018 21:36:06 GMT) (full text, mbox, link).
Notification sent
to "Robert J. Clay" <rjclay@gmail.com>:
Bug acknowledged by developer.
(Thu, 07 Jun 2018 21:36:06 GMT) (full text, mbox, link).
Message #18 received at 900942-close@bugs.debian.org (full text, mbox, reply):
Source: libpgobject-util-dbadmin-perl
Source-Version: 0.130.1-1
We believe that the bug you reported is fixed in the latest version of
libpgobject-util-dbadmin-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900942@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert James Clay <jame@rocasa.us> (supplier of updated libpgobject-util-dbadmin-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Jun 2018 10:55:23 -0400
Source: libpgobject-util-dbadmin-perl
Binary: libpgobject-util-dbadmin-perl
Architecture: source
Version: 0.130.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Robert James Clay <jame@rocasa.us>
Closes: 900942
Description:
libpgobject-util-dbadmin-perl - PostgreSQL Database Management Facilities for PGObject
Changes:
libpgobject-util-dbadmin-perl (0.130.1-1) unstable; urgency=medium
.
[ Salvatore Bonaccorso ]
* Update Vcs-* headers for switch to salsa.debian.org
.
[ gregor herrmann ]
* Update years of upstream and packaging copyright.
* Don't run new perlcritic test during build and autopkgtest.
* Add (build) dependency on libnamespace-clean-perl.
* Declare compliance with Debian Policy 4.1.4.
* Bump debhelper compatibility level to 10.
.
[ Robert James Clay ]
* Update my copyright years in debian/copyright.
* Import upstream version 0.130.1, resolving CVE-2018-9246. (Closes: #900942)
* Correct the upstream URL metadata in debian/upstream/metadata.
* Add 't/boilerplate.t' to the debian/tests/pkg-perl/smoke-skip file.
Checksums-Sha1:
fa378b9bd7e1661f7ed689e77a6715196ba4ac51 2491 libpgobject-util-dbadmin-perl_0.130.1-1.dsc
2eae41cb3f42cf006136beafe9ed5277557520d3 14844 libpgobject-util-dbadmin-perl_0.130.1.orig.tar.gz
7d2cd75d1b3e8cbfeb41bea2bfb95240be04702b 2784 libpgobject-util-dbadmin-perl_0.130.1-1.debian.tar.xz
Checksums-Sha256:
7675ea2459f998f53ae1c1230d9b355bbcb4967d7868f2ce8d73b12a3323e14f 2491 libpgobject-util-dbadmin-perl_0.130.1-1.dsc
4042d6d19941ec2429540287f926218c94ef93eb9997b1dfeffb390abf08e053 14844 libpgobject-util-dbadmin-perl_0.130.1.orig.tar.gz
ae5674781a14a017222ac5bfc47b3f45105544948a7bdb013695791c9b413bc0 2784 libpgobject-util-dbadmin-perl_0.130.1-1.debian.tar.xz
Files:
2947da490ce2845e2aa4a87ea9a818b4 2491 perl optional libpgobject-util-dbadmin-perl_0.130.1-1.dsc
3fa8dc7802156505aabb9467dff02744 14844 perl optional libpgobject-util-dbadmin-perl_0.130.1.orig.tar.gz
8f94c227d7d8771d1954226b98e932a3 2784 perl optional libpgobject-util-dbadmin-perl_0.130.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAlsZoldfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgZIHxAAkA+IVuKfGRyZSrY12UZyXR7eHpTiBcAtbLw7wpJi13Tc2ZxFA/SIabnM
9NLp4iRImkqgQufF1a2arH11vt6ovau/jINJqMaGXhIl9nAJ72LhWjZL6PL/SokE
WqaMNDHGfRVWvAIW7n63W7hU5JmKpL29xlgMvsI7wl2VtN0HNSnLh6oaC4Py1/q2
y7H2oOatf2OBFr98hR/6QY7p2FJMXry+krr/b9qhypM2frPlwjyH2AXi3DLgkiCg
TAKr0orjhhJI0lDy3BzyK2UyBYlfwj3788Q8FAiRMpP6mB9kVnTPRRrFXjEJvShc
joM0uOsk2qdGm//padwowETRomTxyioSSYq+DQiPADqBA9gRfqib0607hA9Dhmq5
MC0lBpuKfZ1KgQ6jMh09tpAxGdkvh6384cvTBliNBoBpWO1Ike7EWzrjXLPYqD1s
oYIO01pWQ8KTdMl6BU2TRk2zJLxBtsAkh7qgimRFL3BdUMYLy2+e+7i/7mwp2Acx
cblmUo5HiKufOYGBzTY96CNibZnqCqWW/qLQXvbqVvdr3g/WVyzc3K4qsmzJjsKn
FPRRelzLJ4Etf/agcxUUCDGw4G1dB7s32ZUFbbrdsrwrotpGNXwx5Bo60QmPJ2vL
0auMUjn3K+m13V7gd5+wtCSjo1Ym0KvkJTtogRqmYKJ5X78DCQw=
=4fC2
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:51:39 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon