Bug#900942: Fwd: [ledgersmb-announce] Security announcement for CVE-2018-9246 / PGObject::Util::DBAdmin

Robert J. Clay rjclay at gmail.com
Thu Jun 7 04:12:27 BST 2018


Source: libpgobject-util-dbadmin-perl
Severity: grave
Tags: security

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9246

---------- Forwarded message ---------
From: Erik Huelsmann <ehuels at gmail.com>
Date: Wed, Jun 6, 2018 at 6:36 PM
Subject: [ledgersmb-announce] Security announcement for CVE-2018-9246
/ PGObject::Util::DBAdmin
To: <announce at lists.ledgersmb.org>


This mail is sent to this mailing list because PGObject::Util::DBAdmin
itself doesn't have a mailing list to send the disclosure to. We'll
update its repository to reflect the announcement below.


Please take note of the security advisory below, known as CVE-2018-9246

   Nick Prater discovered that the PGObject::Util::DBAdmin insufficiently
sanitizes or escapes variable values used as part of shell command
execution, resulting in shell code injection.
   The vulnerability allows an attacker to execute arbitrary code with the
same privileges as the running application through the create(), run_file(),
backup() and restore() functions.

Affected versions:
  PGObject::Util::DBAdmin versions 0.110.0 and lower.

Vulnerability type:
  Insufficiently sanitized arguments in external program invocation

Discoverer:
  Nick Prater (NP Broadcast LTD)

Resolution:
  Upgrade to PGObject::Util::DBAdmin 0.120.0 or newer. (0.130.0
available on CPAN).



More information about the pkg-perl-maintainers mailing list