Bug#1107323: unblock: libfile-find-rule-perl/0.34-4
Salvatore Bonaccorso
carnil at debian.org
Thu Jun 5 16:59:16 BST 2025
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libfile-find-rule-perl at packages.debian.org, Debian Perl Group <pkg-perl-maintainers at lists.alioth.debian.org>, Niko Tyni <ntyni at iki.fi>, gregor herrmann <gregoa at debian.org>, Angel Abad <angel at debian.org>, carnil at debian.org
Control: affects -1 + src:libfile-find-rule-perl
User: release.debian.org at packages.debian.org
Usertags: unblock
Hi
Please unblock package libfile-find-rule-perl
[ Reason ]
It was discovered that libfile-find-rule-perl, a module to search for
files based on rules, is vulnerable to arbitrary code execution when
grep() encounters a crafted file name.
A DSA for this issue was released as DSA 5936-1 for bookworm.
[ Impact ]
Trixie remains vulnerable to the arbitrary code execution flaw and
there is a regression from bookworm on this regard.
[ Tests ]
Upstream advisory provides a test:
$ mkdir /tmp/poc; echo > "/tmp/poc/|id"
$ perl -MFile::Find::Rule \
-E 'File::Find::Rule->grep("foo")->in("/tmp/poc")'
Additionally the package passes its testsuite.
[ Risks ]
Low, the open uses now the 3-args variant.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Nothing needed.
unblock libfile-find-rule-perl/0.34-4
Regards,
Salvatore
-------------- next part --------------
diff -Nru libfile-find-rule-perl-0.34/debian/changelog libfile-find-rule-perl-0.34/debian/changelog
--- libfile-find-rule-perl-0.34/debian/changelog 2022-11-19 17:06:52.000000000 +0100
+++ libfile-find-rule-perl-0.34/debian/changelog 2025-06-05 14:26:45.000000000 +0200
@@ -1,3 +1,10 @@
+libfile-find-rule-perl (0.34-4) unstable; urgency=high
+
+ * Team upload.
+ * Fix for CVE-2011-10007: Use 3 arg open in grep() (Closes: #1107311)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Thu, 05 Jun 2025 14:26:45 +0200
+
libfile-find-rule-perl (0.34-3) unstable; urgency=medium
[ Debian Janitor ]
diff -Nru libfile-find-rule-perl-0.34/debian/patches/Fix-for-CVE-2011-10007-Use-3-arg-open-in-grep.patch libfile-find-rule-perl-0.34/debian/patches/Fix-for-CVE-2011-10007-Use-3-arg-open-in-grep.patch
--- libfile-find-rule-perl-0.34/debian/patches/Fix-for-CVE-2011-10007-Use-3-arg-open-in-grep.patch 1970-01-01 01:00:00.000000000 +0100
+++ libfile-find-rule-perl-0.34/debian/patches/Fix-for-CVE-2011-10007-Use-3-arg-open-in-grep.patch 2025-06-05 14:26:45.000000000 +0200
@@ -0,0 +1,29 @@
+From: Stig Palmquist <git at stig.io>
+Date: Thu, 5 Jun 2025 12:58:45 +0200
+Subject: Fix for CVE-2011-10007: Use 3 arg open in grep()`
+Origin: https://github.com/richardc/perl-file-find-rule/commit/df58128bcee4c1da78c34d7f3fe1357e575ad56f
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=64504
+Bug-Debian: https://bugs.debian.org/1107311
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2011-10007
+Bug: https://github.com/richardc/perl-file-find-rule/pull/4
+
+---
+ lib/File/Find/Rule.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/File/Find/Rule.pm b/lib/File/Find/Rule.pm
+index feccc76f9fcb..d4dc4754d309 100644
+--- a/lib/File/Find/Rule.pm
++++ b/lib/File/Find/Rule.pm
+@@ -420,7 +420,7 @@ sub grep {
+
+ $self->exec( sub {
+ local *FILE;
+- open FILE, $_ or return;
++ open FILE, '<', $_ or return;
+ local ($_, $.);
+ while (<FILE>) {
+ for my $p (@pattern) {
+--
+2.49.0
+
diff -Nru libfile-find-rule-perl-0.34/debian/patches/series libfile-find-rule-perl-0.34/debian/patches/series
--- libfile-find-rule-perl-0.34/debian/patches/series 2022-11-19 17:06:52.000000000 +0100
+++ libfile-find-rule-perl-0.34/debian/patches/series 2025-06-05 14:26:45.000000000 +0200
@@ -1 +1,2 @@
sequential_slashes.patch
+Fix-for-CVE-2011-10007-Use-3-arg-open-in-grep.patch
More information about the pkg-perl-maintainers
mailing list