CVE-2018-9246

NameCVE-2018-9246
DescriptionThe PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting in shell code injection via the create(), run_file(), backup(), or restore() function. The vulnerability allows unauthorized users to execute code with the same privileges as the running application.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs900942

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libpgobject-util-dbadmin-perl (PTS)stretch0.100.0-1vulnerable
buster0.130.1-1fixed
bullseye1.4.0-1fixed
sid, trixie, bookworm1.6.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libpgobject-util-dbadmin-perlsource(unstable)0.130.1-1900942

Notes

[stretch] - libpgobject-util-dbadmin-perl <no-dsa> (Minor issue)
https://github.com/ledgersmb/PGObject-Util-DBAdmin/commit/2c25c3dbc8b832a657247d3ea63ae80f3c5df6b1
https://github.com/ledgersmb/PGObject-Util-DBAdmin/commit/f4e684008ca9e182833a70793ae91288d2c80218
https://github.com/ledgersmb/PGObject-Util-DBAdmin/commit/dc48d0e1af0dbf861779b2c781e0f4c612c22cfb
https://archive.ledgersmb.org/ledger-smb-announce/msg00280.html

Search for package or bug name: Reporting problems