[Bug 203667] devel/p5-UI-Dialog: update 1.09 -> 1.11 (CVE-2008-7315)
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Oct 9 23:35:35 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203667
Bug ID: 203667
Summary: devel/p5-UI-Dialog: update 1.09 -> 1.11
(CVE-2008-7315)
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Keywords: security
Severity: Affects Some People
Priority: ---
Component: Individual Port(s)
Assignee: perl at FreeBSD.org
Reporter: junovitch at freebsd.org
Assignee: perl at FreeBSD.org
Flags: maintainer-feedback?(perl at FreeBSD.org)
http://www.openwall.com/lists/oss-security/2015/10/08/6
"Use CVE-2008-7315.
Note that bug-report discussion debates the question of whether this
is a vulnerability. Our feeling is that "I have a script that parses
URLs from an e-mail and uses UI::dialog to prompt me to select one.
This means that sending me a specially crafted e-mail could cause
execution of arbitrary commands" is a plausible use case and that the
current documentation at http://search.cpan.org/~kck/UI-Dialog/
doesn't exclude this use case. Also, the code analysis in 107364
suggests that some or all parts of the product were attempting to
address input containing ` characters."
Commit for CVE-2008-7315 (despite the date, this was assigned yesterday):
https://github.com/kckrinke/UI-Dialog/commit/6adc44cc636c615d76297d86835e1a997681eb61
Commit for 1.11 version bump:
https://github.com/kckrinke/UI-Dialog/commit/f311ecdaa80b895bf4a0f674e05df4e4e54a58c1
Upstream bug for CVE-2008-7315:
https://rt.cpan.org/Public/Bug/Display.html?id=107364
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-perl
mailing list