#1138050 libhttp-daemon-perl: CVE-2026-8450

Package:
src:libhttp-daemon-perl
Source:
src:libhttp-daemon-perl
Submitter:
Salvatore Bonaccorso
Date:
2026-06-21 19:23:02 UTC
Severity:
normal
Tags:
#1138050#5
Date:
2026-05-27 14:59:04 UTC
From:
To:
Hi,

The following vulnerability was published for libhttp-daemon-perl.

CVE-2026-8450[0]:
| HTTP::Daemon versions before 6.17 for Perl allow OS command
| injection via send_file().  send_file() opens its string argument
| with Perl's 2-arg open(). The 2-arg form interprets magic prefixes:
| '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>>
| path' open the path for write or append.  Untrusted input passed to
| send_file() can run OS commands at the daemon process UID. The read-
| pipe form ('cmd |') also leaks subprocess stdout into the HTTP
| response body. The write-mode forms can create or truncate files at
| attacker chosen paths.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-8450
https://www.cve.org/CVERecord?id=CVE-2026-8450
[1] https://github.com/libwww-perl/HTTP-Daemon/pull/89
[2] https://lists.security.metacpan.org/cve-announce/msg/40435207/
[3] https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1138050#10
Date:
2026-05-27 18:08:18 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libhttp-daemon-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138050@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated libhttp-daemon-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 27 May 2026 19:23:34 +0200
Source: libhttp-daemon-perl
Architecture: source
Version: 6.17-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Closes: 1138050
Changes:
 libhttp-daemon-perl (6.17-1) unstable; urgency=medium
 .
   * Import upstream version 6.17.
    - Fix CVE-2026-8450: 2-arg open() in send_file() enabled RCE / arbitrary
      file write / response-body exfiltration when a string argument was
      derived from attacker-influenced input. send_file() now uses 3-arg
      open() with an explicit '<' read mode, so the path is always treated as a
      literal filename and 2-arg open() shell-magic shapes ('| cmd', 'cmd |',
      '> path', etc.) are no longer interpreted.
    Closes: #1138050
   * Update years of upstream copyright.
   * Update Upstream-Contact in debian/copyright.
   * Declare compliance with Debian Policy 4.7.4.
   * Remove «Rules-Requires-Root: no», which is the current default.
   * Remove «Priority: optional», which is the current default.
Checksums-Sha1:
 c8bd772d05d70f4ecc85d3340534d389eb0c61eb 2676 libhttp-daemon-perl_6.17-1.dsc
 f3acef84c37f0f22de951f425dc034c96c2c8446 48657 libhttp-daemon-perl_6.17.orig.tar.gz
 250b4e6451725976be3ffc002b3ed21baaccb06b 3692 libhttp-daemon-perl_6.17-1.debian.tar.xz
Checksums-Sha256:
 141f1dbc3bfb89a26f613c28de97765785a92c486dc904b3a2c8c56e1278ff13 2676 libhttp-daemon-perl_6.17-1.dsc
 16281580c40e23108d028434698b5d7d53637bf904c9df822481e253cbec920c 48657 libhttp-daemon-perl_6.17.orig.tar.gz
 b8ab423f4ab3efe68770a162ac45e668ed00e62f9d3debb0b8a4d6822a1e5520 3692 libhttp-daemon-perl_6.17-1.debian.tar.xz
Files:
 ef8e7757201df0982ad5acae38cc29e0 2676 perl optional libhttp-daemon-perl_6.17-1.dsc
 14f98fd61159ec4740a21781b787944e 48657 perl optional libhttp-daemon-perl_6.17.orig.tar.gz
 5a5598dd80328c932df8d93ecd1cce56 3692 perl optional libhttp-daemon-perl_6.17-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmoXKPdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx
RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ
qgaE3BAAiTL23+QmMYyA85AifpBMYwBOxT/FYfXbj9FUHfzFdJsYXN6YkyhQwbww
rAPnZyjcycu5IRSqlEW01r1LSEke5lXcw/fHuaOQ2AwIspPH+pOQ+k3m8/e6l6d6
fiiM/CRdYAImbGsDyVfXp3GS0bvwwR/9Ovr4w7ld5V/TsmklMDrmK/MrjLRakiRm
oB909M2aogUHboPLlxlPlElDHv6F9Q8ncppvxW0Avtor9IBbBPTbqS+rwlSaZjmU
aVN0sEOXZt24ISFiauKJYFxRvodBEm1KRPTRUyb142E9xrIlXXV+h3lFvg6sr+Du
WowWIpIoybaQ8X7fsrWXwGqadOoAhD4So6jEwCG/ZXtnthK8WlVbF3eU3Feug2VO
kDFTTSwv3/aLLPo8Rga9aX0nUHD/gKNt9ndio4S4IwZWobJ9jfbpoh4nqxbgarPH
hFvVs+cbGtdd7POan6WZ9/7D3+JiRGD3Y5T4XwsYAG6criLLroKkjxWzdELFjstb
6NqAoYuf8H/CyMgCpB6Q6yFcSFXvm331ZESl00YIAsjPVQ0Ke6y1h2/8MCuoh5Vu
qN7yiJj+xRyisBRCNmVnd/D15i/EulUwWZtM7xWl0eqqenYp6x5RoTaEQKwhLroC
J28JUbDd0yF6Bf6oZwqnZsoY9I/jbRF4q8L8pD1PztF4C6FlETA=
=zKc7
-----END PGP SIGNATURE-----
#1138050#15
Date:
2026-06-21 19:17:27 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libhttp-daemon-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138050@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libhttp-daemon-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 20 Jun 2026 23:14:47 +0200
Source: libhttp-daemon-perl
Architecture: source
Version: 6.16-1+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1138050
Changes:
 libhttp-daemon-perl (6.16-1+deb13u1) trixie-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2026-8450: send_file() honoured 2-arg open() shell-magic
     (Closes: #1138050)
   * Add regression test for send_file() shell-magic refusal
Checksums-Sha1:
 2988076bfca1f8e9c82118874335aab3b43288f0 2609 libhttp-daemon-perl_6.16-1+deb13u1.dsc
 cf817337ec9f4bb2c7f2e46b9762b3d8234f68a0 45830 libhttp-daemon-perl_6.16.orig.tar.gz
 33e9ef6c87d48d84af5323ad3710eb42862af693 7840 libhttp-daemon-perl_6.16-1+deb13u1.debian.tar.xz
Checksums-Sha256:
 b899360a4ac3e26d39859fbc6b983953f4394da4b41b9f28823371eb12d32b77 2609 libhttp-daemon-perl_6.16-1+deb13u1.dsc
 b38d092725e6fa4e0c4dc2a47e157070491bafa0dbe16c78a358e806aa7e173d 45830 libhttp-daemon-perl_6.16.orig.tar.gz
 6b6ec08c19e4a27f863165928dfd17fe02306c328929481bfdb72e4cb9e02922 7840 libhttp-daemon-perl_6.16-1+deb13u1.debian.tar.xz
Files:
 08394088eb1492889422d136fd983d02 2609 perl optional libhttp-daemon-perl_6.16-1+deb13u1.dsc
 51425462790165aeafc2819a7359706f 45830 perl optional libhttp-daemon-perl_6.16.orig.tar.gz
 6c3789c087d35fb25b59b6ce92b3ce33 7840 perl optional libhttp-daemon-perl_6.16-1+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmo3Cg5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EJ7wP+wfz2mYt/W7mXVl09dDqMxvvs8rvVSet
0xnpdU6U5cEr3JMFPBNCg4YqaKKgjkKa9gj5LtNBSf7uJ0LvymzLxKfCkHAETQ/g
UimVAOn690wiSamkAoNnF0lFCaK63LO65zoadknmOq7tZ9qVo4ilTufvm7imuS75
vD9AXdF5FXFjg5GTA4h3+kxE9qOxTNpjEZ3VbX6D/r3gwE/8WyOj0G8YRtIglPZL
1jFcqTotyfcPM8VkbOlEjY8cSkGwSJwNShtA5F8O4V1Mdqa1I3iq0iISbFuajDx1
qHA7OlO6HWxpihlIWwGrrTB6T5yaTQcxvySoB06oFnXySCR9gK/eschIjGGMhOh3
Kk+hbNFQA/gss0mAM1ZT2L5bnYGtSL+27Lv9p+qFf8YrH0ujZLoIiT6gEkzhVhqe
xqXyGWB6sviN4ZgnWmXq+UxZvRX8p26TRiNtkG5VZ6OuenltlA72W1jutb/c1hRw
3S76HHFgL4oluIG/NzinEdZJbU89pgoIDS86UD/BBFhnKSZeaZd9YrD2vi3ZZw8K
bwvqVgU4G/pyCrkJJejbkuI4cVFwD91NO9eNLiURbBQKj6o6PAqua0HdqBQyjIOe
grkxukbHlWRBZPXFTEafjLdj2tLLlvpoFn/d83F2KgbNgJPLf6kXvnTme/ATUYLD
/Pcb8BBmWfsj
=qtYP
-----END PGP SIGNATURE-----
#1138050#20
Date:
2026-06-21 19:20:02 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libhttp-daemon-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138050@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libhttp-daemon-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 20 Jun 2026 23:18:21 +0200
Source: libhttp-daemon-perl
Architecture: source
Version: 6.16-1+deb13u1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1138050
Changes:
 libhttp-daemon-perl (6.16-1+deb13u1~deb12u1) bookworm-security; urgency=high
 .
   * Team upload.
   * Rebuild for bookworm-security
 .
 libhttp-daemon-perl (6.16-1+deb13u1) trixie-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2026-8450: send_file() honoured 2-arg open() shell-magic
     (Closes: #1138050)
   * Add regression test for send_file() shell-magic refusal
Checksums-Sha1:
 8f47d4cd1e189601e9fa9a99070afd018e232bd3 2641 libhttp-daemon-perl_6.16-1+deb13u1~deb12u1.dsc
 da0ccc30d999f2fb30f9921226a8d0fdf03476d3 7864 libhttp-daemon-perl_6.16-1+deb13u1~deb12u1.debian.tar.xz
Checksums-Sha256:
 a4f7593fa91003d6aa93be8123c9c26ca874237fd037279ad34e262a0faaf838 2641 libhttp-daemon-perl_6.16-1+deb13u1~deb12u1.dsc
 77e8a57a8e6321b2602d69e056944126ffaeebf955cdb2254a86c316a2b4623e 7864 libhttp-daemon-perl_6.16-1+deb13u1~deb12u1.debian.tar.xz
Files:
 c81c116bd397cdce197d06c5ec3999f7 2641 perl optional libhttp-daemon-perl_6.16-1+deb13u1~deb12u1.dsc
 9512ee46c1cc20cdc38012b18752c620 7864 perl optional libhttp-daemon-perl_6.16-1+deb13u1~deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmo3dw5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E0kMQAJCOhXPom8hfUCEHFHfz17ScF26285tj
Kwk9Ic/+HSH984OwvEdW+6QhTIIvwBO3X6Uk/P1ujIZJ6FLevADuKKva98O1Xmyb
+FpPs/qUUiZitIprLOzp8BpRDdEgQ0EOYmup5TEPHTU67OzwP6dH6TihORI4CgpW
bU162iEYiGmayGw5n2HuRE5vlNAFvVApgu/JlWPgHRWL8+QRmGhvaChOiJ15v6iF
hFX5eTZzdyObZDAwcRSEKyZrHhYmHVzsrn8The56NQHc79wYCnOm8YtEtu1+PqD/
vn8VkwTenr7wO3jYny3QkWQI8rlqpEjzuLQADb0Bj6vB6WXZAewYddAE+XM7aKIf
DHfku5rvLRnbjqbWzWOZXhdkXLdCSrrmTqTnG5eMXlW64jQGXhduZPmRCfufow0Z
oYvIIk8/PdlSWcf6cNE9klV5zxKgp4milM/2llg553ADwki4dMVsx7AH1GsFV13D
pPNl+XTYq4R+S0tuZkSKHADDRCBous5mpcz9pxwFLQp2t6D17Xja8SsQqGYTqBR5
w8fNqg8FV0zTPsKE935M0+DDYEuGMQkSpyH9K8WQyaIZJ5nNfPVuAko+CG5mkRSt
R+golI1WuwOIUYhkn4p+WYHvvUMWneA3T13S0OS1jm6EPUyutmkejdcjKJcGbVC0
vF5FlL2L0eby
=fNf9
-----END PGP SIGNATURE-----