Bug #107243 for Net-Appliance-Session: Dangerous "use lib"

Tue Sep 22 10:01:57 2015 ppisar [...] redhat.com - Ticket created

Subject:

Dangerous "use lib"

The bin/nas contains this line: use lib './lib'; This is very dangerous as anybody creating "lib" in victim's working directory can mount an attack by injecting arbitrary code. Please remove the line the file. Attached patch does that.

Subject:

Net-Appliance-Session-4.200000-Remove-dangerous-use-lib.patch

From 4d468dc7245ca842ae1a59bd9645d56201bab6ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Tue, 22 Sep 2015 15:17:53 +0200 Subject: [PATCH] Remove dangerous use lib MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com> --- bin/nas | 1 - 1 file changed, 1 deletion(-) diff --git a/bin/nas b/bin/nas index cac1882..9a0bea0 100755 --- a/bin/nas +++ b/bin/nas @@ -3,7 +3,6 @@ use strict; use warnings FATAL => 'all'; -use lib './lib'; use Net::Appliance::Session::Scripting; Net::Appliance::Session::Scripting::run(); -- 2.4.3

Sat May 14 14:42:18 2016 OLIVER [...] cpan.org - Correspondence added

Many thanks for reporting this, you are absolutely right. I have applied the patch for the next release. On Tue Sep 22 10:01:57 2015, ppisar wrote: Show quoted text

> The bin/nas contains this line: > > use lib './lib'; > > This is very dangerous as anybody creating "lib" in victim's working > directory can mount an attack by injecting arbitrary code. Please > remove the line the file. > > Attached patch does that.

-- regards, oliver.

Sat May 14 14:42:18 2016 The RT System itself - Status changed from 'new' to 'open'

Sat May 14 14:42:19 2016 OLIVER [...] cpan.org - Status changed from 'open' to 'resolved'