oss-sec mailing list archives

Re: Net::Ping::External command injections

From: Charlie Brady <charlieb-oss-security () budge apana org au>
Date: Tue, 7 Nov 2017 12:22:07 -0500 (EST)


Is the primary fault in Net::Ping::External, or in whatever software takes 
untrusted input and uses it to construct args used in 
Net::Ping::External->ping()?

On Tue, 7 Nov 2017, Matthias Weckbecker wrote:

Hi,

Net::Ping::External [0] is prone to command injection vulnerabilities.

The issues are roughly 10 (!) years old [1], but the code is still being
shipped these days (e.g. in ubuntu artful and debian stretch [2]).

I had contacted the author of the code a few days ago, but obviously did
not get any reaction.

A patch is available here:

  http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patch

Maybe time to just patch it downstream? Or drop this pkg. altogether?

Thanks,
Matthias

--
[0] https://metacpan.org/pod/Net::Ping::External
[1] https://rt.cpan.org/Public/Dist/Display.html?Name=Net-Ping-External
    (id #33230)
[2] https://packages.debian.org/stable/perl/libnet-ping-external-perl \
    https://launchpad.net/ubuntu/+source/libnet-ping-external-perl

Current thread:

Net::Ping::External command injections Matthias Weckbecker (Nov 07)
- Re: Net::Ping::External command injections Charlie Brady (Nov 07)
- Re: Net::Ping::External command injections Simon McVittie (Nov 07)
- Re: Net::Ping::External command injections Salvatore Bonaccorso (Nov 07)