[Bug 1210614] New: Shell command injection in c2ph tool
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1210614
Bug ID: 1210614
Summary: Shell command injection in c2ph tool
Product: Fedora
Version: 21
Component: perl
Assignee: jplesnik(a)redhat.com
Reporter: ppisar(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: cweyl(a)alumni.drew.edu, iarnell(a)gmail.com,
jplesnik(a)redhat.com, kasal(a)ucw.cz,
perl-devel(a)lists.fedoraproject.org, ppisar(a)redhat.com,
psabata(a)redhat.com, rc040203(a)freenet.de,
tcallawa(a)redhat.com
The c2ph suffers from shell command injection:
$ c2ph -n '; id; x.c'
cc: fatal error: no input files
compilation terminated.
uid=500(petr) gid=500(petr) groups=500(petr),63(audio),100(users),478(mock)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh: x.c: command not found
Tested with perl-5.18.4-308.fc21.x86_64.
Reported to upstream <https://rt.perl.org/Ticket/Display.html?id=124275>.
--
You are receiving this mail because:
You are on the CC list for the bug.
5 years, 11 months
[Bug 719874] New: perl-threads-lite keeps hanging during self checks
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
Summary: perl-threads-lite keeps hanging during self checks
https://bugzilla.redhat.com/show_bug.cgi?id=719874
Summary: perl-threads-lite keeps hanging during self checks
Product: Fedora
Version: rawhide
Platform: powerpc
OS/Version: Unspecified
Status: NEW
Severity: unspecified
Priority: unspecified
Component: perl-threads-lite
AssignedTo: ppisar(a)redhat.com
ReportedBy: karsten(a)redhat.com
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-perl-devel-list(a)redhat.com,
mmaslano(a)redhat.com, ppisar(a)redhat.com,
psabata(a)redhat.com
Blocks: 718269
Classification: Fedora
Story Points: ---
Description of problem:
During a mass rebuild on PPC and PPC64, perl-threads-lite-0.031-2.fc16 gets
stuck while doing self checks on ppc. ppc64 completed the build just fine.
I have to either cancel the job or wait until mock gets a timeout.
Here's where it is hanging:
# Testing threads::lite 0.031, Perl 5.012003, /usr/bin/perl
t/00-load.t ....... ok
t/10-basics.t .....
Failed 5/6 subtests
Version-Release number of selected component (if applicable):
perl-threads-lite-0.031-2.fc16
Actual results:
http://ppc.koji.fedoraproject.org/koji/taskinfo?taskID=249482
Note how ppc64 completed the build within 2 minutes and ppc was still working
on it after more than 9 hours when I've canceled the job.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
6 years
[Bug 1205913] New: Please branch perl-Chart for EPEL7
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1205913
Bug ID: 1205913
Summary: Please branch perl-Chart for EPEL7
Product: Fedora EPEL
Version: epel7
Component: perl-Chart
Assignee: psabata(a)redhat.com
Reporter: jamielinux(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: perl-devel(a)lists.fedoraproject.org,
psabata(a)redhat.com, steve(a)silug.org
It seems to build fine using the f21 srpm. (The rawhide srpm complains that
perl-ExtUtils-MakeMaker is too old.)
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years
[Bug 1185483] New: CVE-2014-8630 Bugzilla: Command Injection into product names and other attributes
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1185483
Bug ID: 1185483
Summary: CVE-2014-8630 Bugzilla: Command Injection into product
names and other attributes
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: kseifried(a)redhat.com
CC: bazanluis20(a)gmail.com, emmanuel(a)seyman.fr,
itamar(a)ispbrasil.com.br,
perl-devel(a)lists.fedoraproject.org,
xavier(a)bachelot.org
The Bugzilla project reports:
Class: Command Injection
Versions: All versions before 4.0.16, 4.1.1 to 4.2.11, 4.3.1 to 4.4.6,
4.5.1 to 4.5.6
Fixed In: 4.0.16, 4.2.12, 4.4.7, 5.0rc1
Description: Some code in Bugzilla does not properly utilize 3 arguments form
for open() and it is possible for an account with editcomponents
permissions to inject commands into product names and other
attributes.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=1079065
CVE Number: CVE-2014-8630
External references:
http://www.bugzilla.org/security/4.0.15/
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=wv1CAf1O1K&a=cc_unsubscribe
6 years