http://www.openwall.com/lists/oss-security/2015/10/08/6 "Use CVE-2008-7315. Note that bug-report discussion debates the question of whether this is a vulnerability. Our feeling is that "I have a script that parses URLs from an e-mail and uses UI::dialog to prompt me to select one. This means that sending me a specially crafted e-mail could cause execution of arbitrary commands" is a plausible use case and that the current documentation at http://search.cpan.org/~kck/UI-Dialog/ doesn't exclude this use case. Also, the code analysis in 107364 suggests that some or all parts of the product were attempting to address input containing ` characters." Commit for CVE-2008-7315 (despite the date, this was assigned yesterday): https://github.com/kckrinke/UI-Dialog/commit/6adc44cc636c615d76297d86835e1a997681eb61 Commit for 1.11 version bump: https://github.com/kckrinke/UI-Dialog/commit/f311ecdaa80b895bf4a0f674e05df4e4e54a58c1 Upstream bug for CVE-2008-7315: https://rt.cpan.org/Public/Bug/Display.html?id=107364
CPAN doesn't have the updated release yet despite the version bump on Github. Seems to be some very specific cases for using this for anything nefarious but we minds well and be safe and update to 1.11 as soon as it hits the mirrors.
Committed patch from github.
A commit references this bug: Author: mat Date: Sat Oct 10 07:09:20 UTC 2015 New revision: 398978 URL: https://svnweb.freebsd.org/changeset/ports/398978 Log: Apply upstream patch fixing CVE-2008-7315. PR: 203667 Obtained from: https://github.com/kckrinke/UI-Dialog/commit/6adc44cc636c615d76297d86835e1a997681eb61 Security: CVE-2008-7315 Sponsored by: Absolight Changes: head/devel/p5-UI-Dialog/Makefile head/devel/p5-UI-Dialog/files/ head/devel/p5-UI-Dialog/files/patch-6adc44cc636c615d76297d86835e1a997681eb61
A commit references this bug: Author: mat Date: Sat Oct 10 07:10:19 UTC 2015 New revision: 398979 URL: https://svnweb.freebsd.org/changeset/ports/398979 Log: MFH: r398978 Apply upstream patch fixing CVE-2008-7315. PR: 203667 Obtained from: https://github.com/kckrinke/UI-Dialog/commit/6adc44cc636c615d76297d86835e1a997681eb61 Security: CVE-2008-7315 Sponsored by: Absolight Changes: _U branches/2015Q4/ branches/2015Q4/devel/p5-UI-Dialog/Makefile branches/2015Q4/devel/p5-UI-Dialog/files/
A commit references this bug: Author: junovitch Date: Sat Oct 10 15:27:11 UTC 2015 New revision: 399004 URL: https://svnweb.freebsd.org/changeset/ports/399004 Log: Document shell command execution via improper escaping in p5-UI-Dialog PR: 203667 Security: CVE-2008-7315 Security: https://vuxml.FreeBSD.org/freebsd/00dadbf0-6f61-11e5-a2a1-002590263bf5.html Changes: head/security/vuxml/vuln.xml
(In reply to Mathieu Arnold from comment #2) Thanks! Post close PR cleanup -- Fix title to reflect this isn't the "1.09 -> 1.11" update