Your message dated Thu, 05 Jun 2025 12:33:56 +0000
with message-id <e1un9na-008kx0...@fasolo.debian.org>
and subject line Bug#1107311: fixed in libfile-find-rule-perl 0.34-4
has caused the Debian Bug report #1107311,
regarding libfile-find-rule-perl: CVE-2011-10007
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1107311: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107311
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libfile-find-rule-perl
Version: 0.34-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/richardc/perl-file-find-rule/pull/4
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for libfile-find-rule-perl.
CVE-2011-10007[0]:
| File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary
| Code Execution when `grep()` encounters a crafted filename. A file
| handle is opened with the 2 argument form of `open()` allowing an
| attacker controlled filename to provide the MODE parameter to
| `open()`, turning the filename into a command to be executed.
| Example: $ mkdir /tmp/poc; echo > "/tmp/poc/|id" $ perl
| -MFile::Find::Rule \ -E
| 'File::Find::Rule->grep("foo")->in("/tmp/poc")' uid=1000(user)
| gid=1000(user) groups=1000(user),100(users)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2011-10007
https://www.cve.org/CVERecord?id=CVE-2011-10007
[1] https://github.com/richardc/perl-file-find-rule/pull/4
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libfile-find-rule-perl
Source-Version: 0.34-4
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libfile-find-rule-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1107...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated
libfile-find-rule-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 05 Jun 2025 14:26:45 +0200
Source: libfile-find-rule-perl
Architecture: source
Version: 0.34-4
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1107311
Changes:
libfile-find-rule-perl (0.34-4) unstable; urgency=high
.
* Team upload.
* Fix for CVE-2011-10007: Use 3 arg open in grep() (Closes: #1107311)
Checksums-Sha1:
e586cd43e73181199f4045dc72154e81a18efcfa 2431 libfile-find-rule-perl_0.34-4.dsc
914470e275210804a94c6a987124ef9f88254163 4632
libfile-find-rule-perl_0.34-4.debian.tar.xz
Checksums-Sha256:
c2728148e66cfd011b3344823f12a978a66b5b0b56aa23f86d68e6b1c30296da 2431
libfile-find-rule-perl_0.34-4.dsc
e5afa3fa7a9a802028e4421e63f3ebea82f1306bd58b2abfc6030a24c15c4dd7 4632
libfile-find-rule-perl_0.34-4.debian.tar.xz
Files:
7606b6561eca3eac5ee4722efcfaa01f 2431 perl optional
libfile-find-rule-perl_0.34-4.dsc
ca0a96d36e2676eee820e7f01be7d913 4632 perl optional
libfile-find-rule-perl_0.34-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmhBjZxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EDiEP/AiM2ZfHQfuELfK+smA+7dsPXhFvEuTG
OFk1089AwRS2pIxYYTXDnCGcCCmbM/Ulae65coFtGKyKivt7VSBYpFJaY8UtUBVz
QfBRFvXIOpMlArxkOf/Ptz1M19Ge4gPC0t3uNTV+rN0lB0Jc0Am5pPgVxlG6ausu
EegAy8KoiPu2ThjyQphkBG9/9i7xxCfAlq0CnwuuTgy67T6LC3/ZwO3ZegLpbVll
h7X9Hd9EUk21Milhb/8yBerQ0GxX7k2H3w8+A7Ex3+fIdT2J9xyInm9AuyR/Nvx0
H2A7BNUavTxmoOrghdsarEfki5+KKafM3+insqmd77wIyijUzAUUmX9uJq04QEIW
dcDaqmyTJlp6UtqiL/QS2E53hEf1l0XEX/FMdzgZNyVLOOwvc3iSuZY5xYUPs0Y1
cvTtw3yFXJ04k4V+hIRc2xLyKAflq5fg4yjLum5Td4Lyd5ocqu5gC+16SgL4KFXS
TSrCFq27A7dv8CsVs84inhe6SRIFPVam+aBHUYQqXCE/tduoDw6pjztqAkaPaalF
Mi2t+E3TcAyTDiIJbHZGIKW53B3s2pXx02xj6jkti/o7CniI37PBmb4FWzXUfvFn
+5uetMzl1n7lQlC/NMO1i3fQ7A84b1Pm9KGYf9yjqHTXyHn0JYixAJULzIF/cMYK
y9fOa3Sv7Qob
=PRkL
-----END PGP SIGNATURE-----
pgpAXP1q632v7.pgp
Description: PGP signature
--- End Message ---
