oss-sec mailing list archives
Net::Ping::External command injections
From: Matthias Weckbecker <matthias () weckbecker name>
Date: Tue, 7 Nov 2017 17:51:27 +0100
Hi, Net::Ping::External [0] is prone to command injection vulnerabilities. The issues are roughly 10 (!) years old [1], but the code is still being shipped these days (e.g. in ubuntu artful and debian stretch [2]). I had contacted the author of the code a few days ago, but obviously did not get any reaction. A patch is available here: http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patch Maybe time to just patch it downstream? Or drop this pkg. altogether? Thanks, Matthias -- [0] https://metacpan.org/pod/Net::Ping::External [1] https://rt.cpan.org/Public/Dist/Display.html?Name=Net-Ping-External (id #33230) [2] https://packages.debian.org/stable/perl/libnet-ping-external-perl \ https://launchpad.net/ubuntu/+source/libnet-ping-external-perl
Current thread:
- Net::Ping::External command injections Matthias Weckbecker (Nov 07)
- Re: Net::Ping::External command injections Charlie Brady (Nov 07)
- Re: Net::Ping::External command injections Simon McVittie (Nov 07)
- Re: Net::Ping::External command injections Salvatore Bonaccorso (Nov 07)