- Package:
- src:libfile-find-rule-perl
- Source:
- src:libfile-find-rule-perl
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-06-06 13:05:03 UTC
- Severity:
- normal
- Tags:
Hi,
The following vulnerability was published for libfile-find-rule-perl.
CVE-2011-10007[0]:
| File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary
| Code Execution when `grep()` encounters a crafted filename. A file
| handle is opened with the 2 argument form of `open()` allowing an
| attacker controlled filename to provide the MODE parameter to
| `open()`, turning the filename into a command to be executed.
| Example: $ mkdir /tmp/poc; echo > "/tmp/poc/|id" $ perl
| -MFile::Find::Rule \ -E
| 'File::Find::Rule->grep("foo")->in("/tmp/poc")' uid=1000(user)
| gid=1000(user) groups=1000(user),100(users)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2011-10007
https://www.cve.org/CVERecord?id=CVE-2011-10007
[1] https://github.com/richardc/perl-file-find-rule/pull/4
Regards,
Salvatore
Hello, Bug #1107311 in libfile-find-rule-perl reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/perl-team/modules/packages/libfile-find-rule-perl/-/commit/200db9385361fa1bb13074b11f21a4a3d8917d55 Closes: #1107311 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/1107311
We believe that the bug you reported is fixed in the latest version of libfile-find-rule-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1107311@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libfile-find-rule-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Thu, 05 Jun 2025 14:26:45 +0200 Source: libfile-find-rule-perl Architecture: source Version: 0.34-4 Distribution: unstable Urgency: high Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 1107311 Changes: libfile-find-rule-perl (0.34-4) unstable; urgency=high . * Team upload. * Fix for CVE-2011-10007: Use 3 arg open in grep() (Closes: #1107311) Checksums-Sha1: e586cd43e73181199f4045dc72154e81a18efcfa 2431 libfile-find-rule-perl_0.34-4.dsc 914470e275210804a94c6a987124ef9f88254163 4632 libfile-find-rule-perl_0.34-4.debian.tar.xz Checksums-Sha256: c2728148e66cfd011b3344823f12a978a66b5b0b56aa23f86d68e6b1c30296da 2431 libfile-find-rule-perl_0.34-4.dsc e5afa3fa7a9a802028e4421e63f3ebea82f1306bd58b2abfc6030a24c15c4dd7 4632 libfile-find-rule-perl_0.34-4.debian.tar.xz Files: 7606b6561eca3eac5ee4722efcfaa01f 2431 perl optional libfile-find-rule-perl_0.34-4.dsc ca0a96d36e2676eee820e7f01be7d913 4632 perl optional libfile-find-rule-perl_0.34-4.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmhBjZxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EDiEP/AiM2ZfHQfuELfK+smA+7dsPXhFvEuTG OFk1089AwRS2pIxYYTXDnCGcCCmbM/Ulae65coFtGKyKivt7VSBYpFJaY8UtUBVz QfBRFvXIOpMlArxkOf/Ptz1M19Ge4gPC0t3uNTV+rN0lB0Jc0Am5pPgVxlG6ausu EegAy8KoiPu2ThjyQphkBG9/9i7xxCfAlq0CnwuuTgy67T6LC3/ZwO3ZegLpbVll h7X9Hd9EUk21Milhb/8yBerQ0GxX7k2H3w8+A7Ex3+fIdT2J9xyInm9AuyR/Nvx0 H2A7BNUavTxmoOrghdsarEfki5+KKafM3+insqmd77wIyijUzAUUmX9uJq04QEIW dcDaqmyTJlp6UtqiL/QS2E53hEf1l0XEX/FMdzgZNyVLOOwvc3iSuZY5xYUPs0Y1 cvTtw3yFXJ04k4V+hIRc2xLyKAflq5fg4yjLum5Td4Lyd5ocqu5gC+16SgL4KFXS TSrCFq27A7dv8CsVs84inhe6SRIFPVam+aBHUYQqXCE/tduoDw6pjztqAkaPaalF Mi2t+E3TcAyTDiIJbHZGIKW53B3s2pXx02xj6jkti/o7CniI37PBmb4FWzXUfvFn +5uetMzl1n7lQlC/NMO1i3fQ7A84b1Pm9KGYf9yjqHTXyHn0JYixAJULzIF/cMYK y9fOa3Sv7Qob =PRkL -----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of libfile-find-rule-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1107311@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libfile-find-rule-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Thu, 05 Jun 2025 14:32:51 +0200 Source: libfile-find-rule-perl Architecture: source Version: 0.34-4~deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 1107311 Changes: libfile-find-rule-perl (0.34-4~deb12u1) bookworm-security; urgency=high . * Rebuild for bookworm-security. . libfile-find-rule-perl (0.34-4) unstable; urgency=high . * Team upload. * Fix for CVE-2011-10007: Use 3 arg open in grep() (Closes: #1107311) Checksums-Sha1: ea95d95f7d2f24ae0dfa53f1b6ef749232075e40 2463 libfile-find-rule-perl_0.34-4~deb12u1.dsc 05fe46cc142279b0716d058a51f7214bd80d34ff 16165 libfile-find-rule-perl_0.34.orig.tar.gz f0762213e99f33f0875096abddb01e1cd3f67f23 4672 libfile-find-rule-perl_0.34-4~deb12u1.debian.tar.xz Checksums-Sha256: 9d0e916c8d636266152c1f06627dcef5c678fabf331df822182d67fb4c6fb739 2463 libfile-find-rule-perl_0.34-4~deb12u1.dsc 7e6f16cc33eb1f29ff25bee51d513f4b8a84947bbfa18edb2d3cc40a2d64cafe 16165 libfile-find-rule-perl_0.34.orig.tar.gz 0c10d769cee30a960a7e68d60b6f891855162b0a23865791d5eb2022a6f7fd43 4672 libfile-find-rule-perl_0.34-4~deb12u1.debian.tar.xz Files: 61628ee4c6420352dd08a19bc16ac4bd 2463 perl optional libfile-find-rule-perl_0.34-4~deb12u1.dsc a7aa9ad4d8ee87b2a77b8e3722768712 16165 perl optional libfile-find-rule-perl_0.34.orig.tar.gz eeeb0f455799b4fecce7a0a15c9e82b7 4672 perl optional libfile-find-rule-perl_0.34-4~deb12u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmhBjupfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EYXYQAJF41uq7TiO8BtUf+2N1oKQIhv8ApBa1 iLUB0xyU5I1/ePimisp+7x9CXgMZ8mgLQ2uxnlYoH1X2ut7FCxvOXt3iBKzNBlIJ AfqmaoIiqjJnQB+vypZ2yGJk4XdrzOeUIznh7l/pukHP9rmXesxs5pJD021cOIh1 GMvT9v7Yvp77gvtod2vDZq+1/bkfBnZQgR+wXyyk+NZToyqHitKjEX+fn/CguCbm LxB1iJKxnetAQ/CS7Vm+fsX+XSsMPhrQUt6MBS7iMSY8JUo+v68MS8+SYyEedp7O v9nGd8cDCmBh8wFvTEx1xQkE5Xe3lJuEA/fDL8J0Q5SPI3Cv0rODT8zJlovnKF6s lba2URoexwbbSYdEJXH7tfORBtLTxjj7fDoL+iR38uIIsNzpjckdviS89o7OnLZe 74vX0RYK9S8c4iEeS1YndUIS3vyP961YuHrKtfnnFaP95OYfVfCJX6/PKcfLKFd9 e59eguSaFhEixIR8Q4S+C5SoOKdf/BRDy10L9i9WHHHthBZ2RxCVjBuu+AX+YQGt NUHq9Pru081i8ra4PDuXYkNAvpjnBIKop1F7xFIWwLojdon22l2GfMj68oNgGtRZ 1Cg5NvUmhOSmOTQAvkXaEA5xTBP/eHEq1UQmKTzcvYqBZAv6QIOQE/QfstrYGSvQ 4GruYDDDSpXv =u5kL -----END PGP SIGNATURE-----