Web lists-archives.com

Re: Potentially insecure Perl scripts




Ian Jackson writes ("Re: Potentially insecure Perl scripts"):
> Vincent Lefevre writes ("Potentially insecure Perl scripts"):
> > I've just reported
> >   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269
> > against gropdf (also reported upstream to bug-groff), about the use of
> > the insecure null filehandle "<>" in Perl, which can lead to arbitrary
> > command execution, e.g. when using wildcards.
> > 
> > I've noticed that some other Perl scripts also use this filehandle and
> > might be affected by the same issue.
> 
> OMFG.  This is worse than shellshock.
> 
>   $ perl -pe 's/^/got /' "whoami|"
>   got iwj
>   $

Apparently this has been klnown about for EIGHTEEN YEARS
  https://rt.perl.org/Public/Bug/Display.html?id=2783
and no-one has fixed it or even documented it.

I think this is a serious bug in Perl which should be fixed in a
security update.

Debian Perl maintainers, can you please tell me whether you agree, and
if so whether you intend to prepare a security update ?

IMO the correct behaviour for <> and -p and -e should be to special
case "-" (which usual filename argument unquoting will often deal
with) and otherwise use the three-argument form of the builtin
open.  The tiny number of programs broken by such a change will be
massively outweighed by the large number of hideous security bugs
which will be fixed.

Ian.

-- 
Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.