oss-sec mailing list archives

Re: Net::Ping::External command injections

From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 7 Nov 2017 22:00:19 +0100

Hi

On Tue, Nov 07, 2017 at 05:51:27PM +0100, Matthias Weckbecker wrote:

Hi,

Net::Ping::External [0] is prone to command injection vulnerabilities.

The issues are roughly 10 (!) years old [1], but the code is still being
shipped these days (e.g. in ubuntu artful and debian stretch [2]).

I had contacted the author of the code a few days ago, but obviously did
not get any reaction.

A patch is available here:

  http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patch


This issue has been assinged CVE-2008-7319 by MITRE.

Regards,
Salvatore

Current thread:

Net::Ping::External command injections Matthias Weckbecker (Nov 07)
- Re: Net::Ping::External command injections Charlie Brady (Nov 07)
- Re: Net::Ping::External command injections Simon McVittie (Nov 07)
- Re: Net::Ping::External command injections Salvatore Bonaccorso (Nov 07)