Hi, I've reported the following bug in the Debian BTS:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269 According to the gropdf(1) man page: gropdf [-dels] [-F dir] [-I dir] [-p paper-size] [-u [cmapfile]] [-y foundry] [file ...] but providing a "filename" with a pipe character can yield an arbitrary command execution: $ touch foo $ ls foo foo $ gropdf "rm foo|" $ ls foo ls: cannot access 'foo': No such file or directory $ The reason is that gropdf is a Perl script that uses the insecure null filehandle "<>". The perlop(1) man page says: Since the null filehandle uses the two argument form of "open" in perlfunc it interprets special characters, so if you have a script like this: while (<>) { print; } and call it with "perl dangerous.pl 'rm -rfv *|'", it actually opens a pipe, executes the "rm" command and reads "rm"'s output from that pipe. -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) _______________________________________________ bug-groff mailing list [email protected] https://lists.gnu.org/mailman/listinfo/bug-groff
