diff options
| author | junovitch <junovitch@FreeBSD.org> | 2015-10-10 23:27:11 +0800 |
|---|---|---|
| committer | junovitch <junovitch@FreeBSD.org> | 2015-10-10 23:27:11 +0800 |
| commit | 35c956b7bd4b8999eaff7fb3f127d793c55dc646 (patch) | |
| tree | bebffcdca28b0ee7dab26ae495a4e3b391094e4f /security | |
| parent | bfbcabfd9a81f56e24afa641554adf93fa727738 (diff) | |
| download | freebsd-ports-gnome-35c956b7bd4b8999eaff7fb3f127d793c55dc646.tar.gz freebsd-ports-gnome-35c956b7bd4b8999eaff7fb3f127d793c55dc646.tar.zst freebsd-ports-gnome-35c956b7bd4b8999eaff7fb3f127d793c55dc646.zip | |
Document shell command execution via improper escaping in p5-UI-Dialog
PR: 203667
Security: CVE-2008-7315
Security: https://vuxml.FreeBSD.org/freebsd/00dadbf0-6f61-11e5-a2a1-002590263bf5.html
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index ac9a03c64594..31f06b792052 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,41 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="00dadbf0-6f61-11e5-a2a1-002590263bf5"> + <topic>p5-UI-Dialog -- shell command execution vulnerability</topic> + <affects> + <package> + <name>p5-UI-Dialog</name> + <range><lt>1.09_2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Matthijs Kooijman reports:</p> + <blockquote cite="https://rt.cpan.org/Public/Bug/Display.html?id=107364"> + <p>It seems that the whiptail, cdialog and kdialog backends apply + some improper escaping in their shell commands, causing special + characters present in menu item titles to be interpreted by the + shell. This includes the backtick evaluation operator, so this + constitutues a security issue, allowing execution of arbitrary + commands if an attacker has control over the text displayed in + a menu.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2008-7315</cvename> + <freebsdpr>ports/203667</freebsdpr> + <url>https://rt.cpan.org/Public/Bug/Display.html?id=107364</url> + <url>https://bugs.debian.org/496448</url> + <url>https://github.com/kckrinke/UI-Dialog/commit/6adc44cc636c615d76297d86835e1a997681eb61</url> + </references> + <dates> + <discovery>2008-08-24</discovery> + <entry>2015-10-10</entry> + </dates> + </vuln> + <vuln vid="290351c9-6f5c-11e5-a2a1-002590263bf5"> <topic>devel/ipython -- multiple vulnerabilities</topic> <affects> |