Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected], Debian Perl Group
<[email protected]>, Niko Tyni <[email protected]>,
gregor herrmann <[email protected]>, Angel Abad <[email protected]>,
[email protected]
Control: affects -1 + src:libfile-find-rule-perl
User: [email protected]
Usertags: unblock
Hi
Please unblock package libfile-find-rule-perl
[ Reason ]
It was discovered that libfile-find-rule-perl, a module to search for
files based on rules, is vulnerable to arbitrary code execution when
grep() encounters a crafted file name.
A DSA for this issue was released as DSA 5936-1 for bookworm.
[ Impact ]
Trixie remains vulnerable to the arbitrary code execution flaw and
there is a regression from bookworm on this regard.
[ Tests ]
Upstream advisory provides a test:
$ mkdir /tmp/poc; echo > "/tmp/poc/|id"
$ perl -MFile::Find::Rule \
-E 'File::Find::Rule->grep("foo")->in("/tmp/poc")'
Additionally the package passes its testsuite.
[ Risks ]
Low, the open uses now the 3-args variant.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Nothing needed.
unblock libfile-find-rule-perl/0.34-4
Regards,
Salvatore
diff -Nru libfile-find-rule-perl-0.34/debian/changelog
libfile-find-rule-perl-0.34/debian/changelog
--- libfile-find-rule-perl-0.34/debian/changelog 2022-11-19
17:06:52.000000000 +0100
+++ libfile-find-rule-perl-0.34/debian/changelog 2025-06-05
14:26:45.000000000 +0200
@@ -1,3 +1,10 @@
+libfile-find-rule-perl (0.34-4) unstable; urgency=high
+
+ * Team upload.
+ * Fix for CVE-2011-10007: Use 3 arg open in grep() (Closes: #1107311)
+
+ -- Salvatore Bonaccorso <[email protected]> Thu, 05 Jun 2025 14:26:45 +0200
+
libfile-find-rule-perl (0.34-3) unstable; urgency=medium
[ Debian Janitor ]
diff -Nru
libfile-find-rule-perl-0.34/debian/patches/Fix-for-CVE-2011-10007-Use-3-arg-open-in-grep.patch
libfile-find-rule-perl-0.34/debian/patches/Fix-for-CVE-2011-10007-Use-3-arg-open-in-grep.patch
---
libfile-find-rule-perl-0.34/debian/patches/Fix-for-CVE-2011-10007-Use-3-arg-open-in-grep.patch
1970-01-01 01:00:00.000000000 +0100
+++
libfile-find-rule-perl-0.34/debian/patches/Fix-for-CVE-2011-10007-Use-3-arg-open-in-grep.patch
2025-06-05 14:26:45.000000000 +0200
@@ -0,0 +1,29 @@
+From: Stig Palmquist <[email protected]>
+Date: Thu, 5 Jun 2025 12:58:45 +0200
+Subject: Fix for CVE-2011-10007: Use 3 arg open in grep()`
+Origin:
https://github.com/richardc/perl-file-find-rule/commit/df58128bcee4c1da78c34d7f3fe1357e575ad56f
+Bug: https://rt.cpan.org/Public/Bug/Display.html?id=64504
+Bug-Debian: https://bugs.debian.org/1107311
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2011-10007
+Bug: https://github.com/richardc/perl-file-find-rule/pull/4
+
+---
+ lib/File/Find/Rule.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/File/Find/Rule.pm b/lib/File/Find/Rule.pm
+index feccc76f9fcb..d4dc4754d309 100644
+--- a/lib/File/Find/Rule.pm
++++ b/lib/File/Find/Rule.pm
+@@ -420,7 +420,7 @@ sub grep {
+
+ $self->exec( sub {
+ local *FILE;
+- open FILE, $_ or return;
++ open FILE, '<', $_ or return;
+ local ($_, $.);
+ while (<FILE>) {
+ for my $p (@pattern) {
+--
+2.49.0
+
diff -Nru libfile-find-rule-perl-0.34/debian/patches/series
libfile-find-rule-perl-0.34/debian/patches/series
--- libfile-find-rule-perl-0.34/debian/patches/series 2022-11-19
17:06:52.000000000 +0100
+++ libfile-find-rule-perl-0.34/debian/patches/series 2025-06-05
14:26:45.000000000 +0200
@@ -1 +1,2 @@
sequential_slashes.patch
+Fix-for-CVE-2011-10007-Use-3-arg-open-in-grep.patch
