Re: Potentially insecure Perl scripts

To: debian-devel@lists.debian.org
Cc: debian-perl@lists.debian.org
Subject: Re: Potentially insecure Perl scripts
From: Alex Mestiashvili <amestia@rsh2.donotuse.de>
Date: Wed, 23 Jan 2019 16:36:35 +0100
Message-id: <[🔎] 1f0acee6-9c58-0bff-80fc-f1f21d390fa3@rsh2.donotuse.de>
In-reply-to: <20190123130554.GA23813@cventin.lip.ens-lyon.fr>
References: <20190123130554.GA23813@cventin.lip.ens-lyon.fr>

On 1/23/19 2:05 PM, Vincent Lefevre wrote:
> Hi,
> 
> I've just reported
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269
> 
> against gropdf (also reported upstream to bug-groff), about the use of
> the insecure null filehandle "<>" in Perl, which can lead to arbitrary
> command execution, e.g. when using wildcards.
> 
> I've noticed that some other Perl scripts also use this filehandle and
> might be affected by the same issue.
> 

Hi,

while gropdf lacks input sanitizationm which is definitely bad, the use
of diamond operator is totally fine and doesn't make scripts insecure.

One can run perl in tainted mode ( perl -T) to detect stuff like that.

Best,
Alex

Reply to:

Prev by Date: Re: Updating Debian Perl group team page
Next by Date: LHF report (was: Low-hanging fruits reminder for 2019-01-21, 17:00 UTC (tomorrow))
Previous by thread: Attivazione bonus
Next by thread: Need Perl help for gff2aplot
Index(es):
- Date
- Thread