https://bugzilla.redhat.com/show_bug.cgi?id=1210614 Bug ID: 1210614 Summary: Shell command injection in c2ph tool Product: Fedora Version: 21 Component: perl Assignee: jplesnik@xxxxxxxxxx Reporter: ppisar@xxxxxxxxxx QA Contact: extras-qa@xxxxxxxxxxxxxxxxx CC: cweyl@xxxxxxxxxxxxxxx, iarnell@xxxxxxxxx, jplesnik@xxxxxxxxxx, kasal@xxxxxx, perl-devel@xxxxxxxxxxxxxxxxxxxxxxx, ppisar@xxxxxxxxxx, psabata@xxxxxxxxxx, rc040203@xxxxxxxxxx, tcallawa@xxxxxxxxxx The c2ph suffers from shell command injection: $ c2ph -n '; id; x.c' cc: fatal error: no input files compilation terminated. uid=500(petr) gid=500(petr) groups=500(petr),63(audio),100(users),478(mock) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 sh: x.c: command not found Tested with perl-5.18.4-308.fc21.x86_64. Reported to upstream <https://rt.perl.org/Ticket/Display.html?id=124275>. -- You are receiving this mail because: You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
