CVE request - perl library UI::Dialog 1.09 - shell escaping vulnerability

[Matthijs Kooijman <matthijs () stdin nl>]

Hi folks,

can you please assign a CVE for the UI::Dialog perl library? I
(re)discovered a flaw that allows arbitrary command execution when the
library is given untrusted strings to show in a menu prompt.

The flaw was initially reported in 2008 at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496448 but it seems
this never reached upstream. I recently reported the bug upstream
https://rt.cpan.org/Public/Bug/Display.html?id=107364, see that report
for some additional details.

Upstream has indicated to be working on a fix (see upstream bug), but no
patches are available yet.

Impact seems limited, I'm not aware of any well-known programs that use
this library and are vulnerable (only two Debian packages depend on it,
both use a UI::Dialog backend that is unaffected).

Thanks,

Matthijs

Attachment: signature.asc
Description: Digital signature