Name | CVE-2024-10224 |
Description | Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by open()ing a "pesky pipe" (such as passing "commands|" as a filename) or by passing arbitrary strings to eval(). |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-3958-1, DSA-5816-1 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
libmodule-scandeps-perl (PTS) | jessie | 1.16-1 | vulnerable |
stretch | 1.23-1 | vulnerable | |
buster | 1.27-1 | vulnerable | |
bullseye | 1.30-1 | vulnerable | |
bullseye (security) | 1.30-1+deb11u1 | fixed | |
bookworm | 1.31-2 | vulnerable | |
bookworm (security) | 1.31-2+deb12u1 | fixed | |
sid, trixie | 1.35-2 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
libmodule-scandeps-perl | source | bullseye | 1.30-1+deb11u1 | DLA-3958-1 | ||
libmodule-scandeps-perl | source | bookworm | 1.31-2+deb12u1 | DSA-5816-1 | ||
libmodule-scandeps-perl | source | (unstable) | 1.35-2 |
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
https://github.com/rschupp/Module-ScanDeps/security/advisories/GHSA-g597-359q-v529
Fixed by: https://github.com/rschupp/Module-ScanDeps/commit/30d43e2df13cfca74833b3aa8a641679427c5cd8
Fixed by: https://github.com/rschupp/Module-ScanDeps/commit/e1f2e14c5bee4d78c94b0cddf120e81af104f6dd
Functional followup fix: https://github.com/rschupp/Module-ScanDeps/commit/49468814a24221affe113664899be21aef60e846