Re: Potentially insecure Perl scripts

To: debian-devel@lists.debian.org
Subject: Re: Potentially insecure Perl scripts
From: Guillem Jover <guillem@debian.org>
Date: Thu, 24 Jan 2019 14:55:58 +0100
Message-id: <[🔎] 20190124135558.GA6524@thunder.hadrons.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20190123130554.GA23813@cventin.lip.ens-lyon.fr>
References: <[🔎] 20190123130554.GA23813@cventin.lip.ens-lyon.fr>

Hi!

On Wed, 2019-01-23 at 14:05:54 +0100, Vincent Lefevre wrote:
> I've just reported
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269
> 
> against gropdf (also reported upstream to bug-groff), about the use of
> the insecure null filehandle "<>" in Perl, which can lead to arbitrary
> command execution, e.g. when using wildcards.
> 
> I've noticed that some other Perl scripts also use this filehandle and
> might be affected by the same issue.

Part of the problem might also be that perlcritic recommands this in its
InputOutput::ProhibitExplicitStdin policy, you can see the description
with «perlcritic --doc InputOutput::ProhibitExplicitStdin».

For dpkg, for example, I completely disabled that policy as bogus, when
hooking the perlcritic checks in:

  <https://git.dpkg.org/git/dpkg/dpkg.git/tree/t/critic/perlcriticrc#n67>

Thanks,
Guillem

Reply to:

Follow-Ups:
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- Potentially insecure Perl scripts
  - From: Vincent Lefevre <vincent@vinc17.net>

Prev by Date: Re: Potentially insecure Perl scripts
Next by Date: Bug#920350: ITP: pkg-js-autopkgtest -- collection of autopktest scripts for nodejs packages
Previous by thread: Re: Potentially insecure Perl scripts
Next by thread: Re: Potentially insecure Perl scripts
Index(es):
- Date
- Thread