oss-sec mailing list archives
Re: Net::Ping::External command injections
From: Charlie Brady <charlieb-oss-security () budge apana org au>
Date: Tue, 7 Nov 2017 12:22:07 -0500 (EST)
Is the primary fault in Net::Ping::External, or in whatever software takes untrusted input and uses it to construct args used in Net::Ping::External->ping()? On Tue, 7 Nov 2017, Matthias Weckbecker wrote:
Hi, Net::Ping::External [0] is prone to command injection vulnerabilities. The issues are roughly 10 (!) years old [1], but the code is still being shipped these days (e.g. in ubuntu artful and debian stretch [2]). I had contacted the author of the code a few days ago, but obviously did not get any reaction. A patch is available here: http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patch Maybe time to just patch it downstream? Or drop this pkg. altogether? Thanks, Matthias -- [0] https://metacpan.org/pod/Net::Ping::External [1] https://rt.cpan.org/Public/Dist/Display.html?Name=Net-Ping-External (id #33230) [2] https://packages.debian.org/stable/perl/libnet-ping-external-perl \ https://launchpad.net/ubuntu/+source/libnet-ping-external-perl
Current thread:
- Net::Ping::External command injections Matthias Weckbecker (Nov 07)
- Re: Net::Ping::External command injections Charlie Brady (Nov 07)
- Re: Net::Ping::External command injections Simon McVittie (Nov 07)
- Re: Net::Ping::External command injections Salvatore Bonaccorso (Nov 07)