Bug 203667 - devel/p5-UI-Dialog: patch 1.09 for shell command execution bug (CVE-2008-7315)
Summary: devel/p5-UI-Dialog: patch 1.09 for shell command execution bug (CVE-2008-7315)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-perl (Nobody)
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2015-10-09 23:35 UTC by Jason Unovitch
Modified: 2015-10-10 15:30 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (perl)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer freebsd_triage 2015-10-09 23:35:34 UTC
http://www.openwall.com/lists/oss-security/2015/10/08/6
"Use CVE-2008-7315.

Note that bug-report discussion debates the question of whether this
is a vulnerability. Our feeling is that "I have a script that parses
URLs from an e-mail and uses UI::dialog to prompt me to select one.
This means that sending me a specially crafted e-mail could cause
execution of arbitrary commands" is a plausible use case and that the
current documentation at http://search.cpan.org/~kck/UI-Dialog/
doesn't exclude this use case. Also, the code analysis in 107364
suggests that some or all parts of the product were attempting to
address input containing ` characters."


Commit for CVE-2008-7315 (despite the date, this was assigned yesterday):
https://github.com/kckrinke/UI-Dialog/commit/6adc44cc636c615d76297d86835e1a997681eb61


Commit for 1.11 version bump:
https://github.com/kckrinke/UI-Dialog/commit/f311ecdaa80b895bf4a0f674e05df4e4e54a58c1


Upstream bug for CVE-2008-7315:
https://rt.cpan.org/Public/Bug/Display.html?id=107364
Comment 1 Jason Unovitch freebsd_committer freebsd_triage 2015-10-09 23:39:33 UTC
CPAN doesn't have the updated release yet despite the version bump on Github.  Seems to be some very specific cases for using this for anything nefarious but we minds well and be safe and update to 1.11 as soon as it hits the mirrors.
Comment 2 Mathieu Arnold freebsd_committer freebsd_triage 2015-10-10 07:09:22 UTC
Committed patch from github.
Comment 3 commit-hook freebsd_committer freebsd_triage 2015-10-10 07:09:45 UTC
A commit references this bug:

Author: mat
Date: Sat Oct 10 07:09:20 UTC 2015
New revision: 398978
URL: https://svnweb.freebsd.org/changeset/ports/398978

Log:
  Apply upstream patch fixing CVE-2008-7315.

  PR:		203667
  Obtained from:	https://github.com/kckrinke/UI-Dialog/commit/6adc44cc636c615d76297d86835e1a997681eb61
  Security:	CVE-2008-7315
  Sponsored by:	Absolight

Changes:
  head/devel/p5-UI-Dialog/Makefile
  head/devel/p5-UI-Dialog/files/
  head/devel/p5-UI-Dialog/files/patch-6adc44cc636c615d76297d86835e1a997681eb61
Comment 4 commit-hook freebsd_committer freebsd_triage 2015-10-10 07:10:47 UTC
A commit references this bug:

Author: mat
Date: Sat Oct 10 07:10:19 UTC 2015
New revision: 398979
URL: https://svnweb.freebsd.org/changeset/ports/398979

Log:
  MFH: r398978

  Apply upstream patch fixing CVE-2008-7315.

  PR:		203667
  Obtained from:	https://github.com/kckrinke/UI-Dialog/commit/6adc44cc636c615d76297d86835e1a997681eb61
  Security:	CVE-2008-7315
  Sponsored by:	Absolight

Changes:
_U  branches/2015Q4/
  branches/2015Q4/devel/p5-UI-Dialog/Makefile
  branches/2015Q4/devel/p5-UI-Dialog/files/
Comment 5 commit-hook freebsd_committer freebsd_triage 2015-10-10 15:27:44 UTC
A commit references this bug:

Author: junovitch
Date: Sat Oct 10 15:27:11 UTC 2015
New revision: 399004
URL: https://svnweb.freebsd.org/changeset/ports/399004

Log:
  Document shell command execution via improper escaping in p5-UI-Dialog

  PR:		203667
  Security:	CVE-2008-7315
  Security:	https://vuxml.FreeBSD.org/freebsd/00dadbf0-6f61-11e5-a2a1-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 6 Jason Unovitch freebsd_committer freebsd_triage 2015-10-10 15:30:02 UTC
(In reply to Mathieu Arnold from comment #2)
Thanks!

Post close PR cleanup -- Fix title to reflect this isn't the "1.09 -> 1.11" update