On Thu, Nov 28, 2019 at 10:44:25AM +0200, Georgi Guninski wrote:
> Package: pari-gp
> Version: 2.11.1-2
> Severity: normal
> Tags: security
>
> pari/gp is CAS (computer algebra system).
> pari/gp version 2.9.1 on debian stretch and 2.11 on debian buster
> allow arbitrary file write and hence arbitrary code execution.
>
> poc:
> ========
> \\ a.gp
> \\ to run: \r a.gp
> default("logfile","/tmp/a.txt");default("log",1);print("log(1)");
Hello Georgi,
How is it different from any other language run time ?
Any language interpretor allows for arbitrary code execution.
By the way you can just use write directly:
write("/tmp/a.txt","log(1)")
Cheers,
--
Bill. <[email protected]>
Imagine a large red swirl here.
