maintainer-feedback requested: [Bug 203667] devel/p5-UI-Dialog: update 1.09 -> 1.11 (CVE-2008-7315)
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Oct 9 23:35:34 UTC 2015
Jason Unovitch <junovitch at freebsd.org> has reassigned Bugzilla Automation
<bugzilla at FreeBSD.org>'s request for maintainer-feedback to perl at FreeBSD.org:
Bug 203667: devel/p5-UI-Dialog: update 1.09 -> 1.11 (CVE-2008-7315)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203667
--- Description ---
http://www.openwall.com/lists/oss-security/2015/10/08/6
"Use CVE-2008-7315.
Note that bug-report discussion debates the question of whether this
is a vulnerability. Our feeling is that "I have a script that parses
URLs from an e-mail and uses UI::dialog to prompt me to select one.
This means that sending me a specially crafted e-mail could cause
execution of arbitrary commands" is a plausible use case and that the
current documentation at http://search.cpan.org/~kck/UI-Dialog/
doesn't exclude this use case. Also, the code analysis in 107364
suggests that some or all parts of the product were attempting to
address input containing ` characters."
Commit for CVE-2008-7315 (despite the date, this was assigned yesterday):
https://github.com/kckrinke/UI-Dialog/commit/6adc44cc636c615d76297d86835e1a9976
81eb61
Commit for 1.11 version bump:
https://github.com/kckrinke/UI-Dialog/commit/f311ecdaa80b895bf4a0f674e05df4e4e5
4a58c1
Upstream bug for CVE-2008-7315:
https://rt.cpan.org/Public/Bug/Display.html?id=107364
More information about the freebsd-perl
mailing list