[oss-security] CVE-2011-10007: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name

Thu, 05 Jun 2025 11:18:11 -0700 

========================================================================
CVE-2011-10007                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2011-10007
  Distribution:  File-Find-Rule
      Versions:  through 0.34

      MetaCPAN:  https://metacpan.org/dist/File-Find-Rule
      VCS Repo:  https://github.com/richardc/perl-file-find-rule


File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code
Execution when `grep()` encounters a crafted file name

Description
-----------
File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code
Execution when `grep()` encounters a crafted filename.

A file handle is opened with the 2 argument form of `open()` allowing
an attacker controlled filename to provide the MODE parameter to
`open()`, turning the filename into a command to be executed.

Example:

$ mkdir /tmp/poc; echo > "/tmp/poc/|id"
$ perl -MFile::Find::Rule \
    -E 'File::Find::Rule->grep("foo")->in("/tmp/poc")'
uid=1000(user) gid=1000(user) groups=1000(user),100(users)

Problem types
-------------
- CWE-78 Improper Neutralization of Special Elements used in an OS
  Command ('OS Command Injection')

Solutions
---------
Users should update to a fixed version when available, or apply the
patch provided in the references section, or use a patched version
provided by their OS distribution


References
----------
https://metacpan.org/release/RCLAMP/File-Find-Rule-0.34/source/lib/File/Find/Rule.pm#L423
https://rt.cpan.org/Public/Bug/Display.html?id=64504
https://github.com/richardc/perl-file-find-rule/pull/4
https://github.com/richardc/perl-file-find-rule/commit/df58128bcee4c1da78c34d7f3fe1357e575ad56f.patch

Timeline
--------
- 2011-01-04: A bug was reported by Kevin Ryde to the upstream RT
  bugtracker described as "grep() can truncate files".
- 2025-06-04: CPANSec became aware of the bug and started triage. Code
  execution impact was confirmed, a patch was made, and the author, the
  distros list and additional downstream vendors were notified.

From e38923179b889e7b03e549130a38ec4e4a28b7d8 Mon Sep 17 00:00:00 2001
From: Stig Palmquist <s...@stig.io>
Date: Thu, 5 Jun 2025 03:45:50 +0200
Subject: [PATCH] Fix CVE-2011-10007 for File::Find::Rule

---
 lib/File/Find/Rule.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/File/Find/Rule.pm b/lib/File/Find/Rule.pm
index feccc76..d4dc475 100644
--- a/lib/File/Find/Rule.pm
+++ b/lib/File/Find/Rule.pm
@@ -420,7 +420,7 @@ sub grep {
 
     $self->exec( sub {
         local *FILE;
-        open FILE, $_ or return;
+        open FILE, '<', $_ or return;
         local ($_, $.);
         while (<FILE>) {
             for my $p (@pattern) {
-- 
2.49.0

Reply via email to