[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Potentially insecure Perl scripts

Ian Jackson writes ("Re: Potentially insecure Perl scripts"):
> Vincent Lefevre writes ("Potentially insecure Perl scripts"):
> > I've just reported
> >   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269
> > against gropdf (also reported upstream to bug-groff), about the use of
> > the insecure null filehandle "<>" in Perl, which can lead to arbitrary
> > command execution, e.g. when using wildcards.
> > 
> > I've noticed that some other Perl scripts also use this filehandle and
> > might be affected by the same issue.
> OMFG.  This is worse than shellshock.
>   $ perl -pe 's/^/got /' "whoami|"
>   got iwj
>   $

Apparently this has been klnown about for EIGHTEEN YEARS
and no-one has fixed it or even documented it.

I think this is a serious bug in Perl which should be fixed in a
security update.

Debian Perl maintainers, can you please tell me whether you agree, and
if so whether you intend to prepare a security update ?

IMO the correct behaviour for <> and -p and -e should be to special
case "-" (which usual filename argument unquoting will often deal
with) and otherwise use the three-argument form of the builtin
open.  The tiny number of programs broken by such a change will be
massively outweighed by the large number of hideous security bugs
which will be fixed.


Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to: