Bug#881097: libnet-ping-external-perl: long-standing command injection via crafted arguments

[Salvatore Bonaccorso]

Control: retitle -1 libnet-ping-external-perl: CVE-2008-7319: command injection 
via crafted arguments

This issue got assigned CVE-2008-7319.

I have filled #881102 for requesting the removal from unstable.

For stretch and jessie I think the best course would be to have it
removed as well in the next point releases, given no package depends
on it.

Regards,
Salvatore

Processed: Re: Bug#881097: libnet-ping-external-perl: long-standing command injection via crafted arguments

[Debian Bug Tracking System]

Processing control commands:

> retitle -1 libnet-ping-external-perl: CVE-2008-7319: command injection via 
> crafted arguments
Bug #881097 [libnet-ping-external-perl] libnet-ping-external-perl: 
long-standing command injection via crafted arguments
Changed Bug title to 'libnet-ping-external-perl: CVE-2008-7319: command 
injection via crafted arguments' from 'libnet-ping-external-perl: long-standing 
command injection via crafted arguments'.

-- 
881097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881097
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#881097: libnet-ping-external-perl: long-standing command injection via crafted arguments

[Simon McVittie]

Package: libnet-ping-external-perl
Version: 0.13-1
Severity: grave
Tags: security patch upstream
Justification: user security hole
Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=33230

See forwarded message below. The reporter's proposed patch is also
attached.

The proposed patch seems to pretend to be a new upstream release, which
seems weird to me, but it isn't my patch.

For what it's worth, dak says nothing in unstable depends on this
package; so perhaps it's time to remove it from Debian.

smcv

- Forwarded message from Matthias Weckbecker  
-

Date: Tue, 7 Nov 2017 17:51:27 +0100
From: Matthias Weckbecker 
To: oss-secur...@lists.openwall.com
Subject: [oss-security] Net::Ping::External command injections
Message-ID: <20171107165127.ga1...@weckbecker.name>

Hi,

Net::Ping::External [0] is prone to command injection vulnerabilities.

The issues are roughly 10 (!) years old [1], but the code is still being
shipped these days (e.g. in ubuntu artful and debian stretch [2]).

I had contacted the author of the code a few days ago, but obviously did
not get any reaction.

A patch is available here:

  http://matthias.sdfeu.org/devel/net-ping-external-cmd-injection.patch

Maybe time to just patch it downstream? Or drop this pkg. altogether?

Thanks,
Matthias

--
[0] https://metacpan.org/pod/Net::Ping::External
[1] https://rt.cpan.org/Public/Dist/Display.html?Name=Net-Ping-External
(id #33230)
[2] https://packages.debian.org/stable/perl/libnet-ping-external-perl \
https://launchpad.net/ubuntu/+source/libnet-ping-external-perl

- End forwarded message -
>From b3dd4de6417f5f9d06710fc185ae6b4ee3661c45 Mon Sep 17 00:00:00 2001
From: Matthias Weckbecker 
Date: Fri, 27 Oct 2017 15:01:10 +0200
Subject: [PATCH 1/1] Fix 10 year old command injection vulnerability

---
 Changes |  3 +++
 External.pm | 24 
 test.pl | 53 +++--
 3 files changed, 74 insertions(+), 6 deletions(-)

diff --git a/Changes b/Changes
index 283ad4d..f36f0d0 100644
--- a/Changes
+++ b/Changes
@@ -8,6 +8,9 @@ newer versions of Net::Ping::External.
 - Support Debian GNU/kFreeBSD
 - ping location on Darwin
 
+0.16 2017-10-27
+- Fix 10 year old command injection vulnerability
+
 0.15 2014-04-12
 - Better detect Windows ping under Cygwin
 - Add ping output for test 2 if it fails
diff --git a/External.pm b/External.pm
index eb472bd..82bc0b8 100644
--- a/External.pm
+++ b/External.pm
@@ -15,11 +15,26 @@ use Carp;
 use Socket qw(inet_ntoa);
 require Exporter;
 
-$VERSION = "0.15";
+$VERSION = "0.16";
 @ISA = qw(Exporter);
 @EXPORT = qw();
 @EXPORT_OK = qw(ping);
 
+sub _clean_args {
+  my %args = @_;
+  for my $arg (qw(size count timeout)) {
+  if ($args{$arg} !~ /([0-9]+)/) {
+croak("$arg must be numeric");
+  }
+  $args{$arg} = $1;
+  }
+  if ($args{host} !~ /([A-Z0-9\.\-]+)/i) {
+croak("invalid host");
+  }
+  $args{host} = $1;
+  return %args;
+}
+
 sub ping {
   # Set up defaults & override defaults with parameters sent.
   my %args = (count => 1, size => 56, @_);
@@ -34,7 +49,7 @@ sub ping {
   croak("You must provide a hostname") unless defined $args{host};
   $args{timeout} = 5 unless defined $args{timeout} && $args{timeout} > 0;
 
-  my %dispatch = 
+  my %dispatch =
 (linux=> \&_ping_linux,
  gnukfreebsd => \&_ping_linux, #Debian GNU/kFreeBSD
  mswin32  => \&_ping_win32,
@@ -61,6 +76,7 @@ sub ping {
 
   croak("External ping not supported on your system") unless $subref;
 
+  %args = _clean_args(%args);
   return $subref->(%args);
 }
 
@@ -83,7 +99,7 @@ sub _ping_win32 {
 }
 
 # Mac OS X 10.2 ping does not handle -w timeout now does it return a
-# status code if it fails to ping (unless it cannot resolve the domain 
+# status code if it fails to ping (unless it cannot resolve the domain
 # name)
 # Thanks to Peter N. Lewis for this one.
 sub _ping_darwin {
@@ -201,7 +217,7 @@ sub _ping_netbsd {
 # -s size option supported -- superuser only... fixme
 sub _ping_bsd {
   my %args = @_;
-  my $command = "ping -c $args{count} -q $args{hostname}";
+  my $command = "ping -c $args{count} -q $args{host}";
   return _ping_system($command, 0);
 }
 
diff --git a/test.pl b/test.pl
index 591f6d4..29c5bc8 100644
--- a/test.pl
+++ b/test.pl
@@ -6,7 +6,7 @@
 # Change 1..1 below to 1..last_test_to_print .
 # (It may become useful if the test is moved to ./t subdirectory.)
 
-BEGIN { $| = 1; $num_tests = 6; print "1..$num_tests\n"; }
+BEGIN { $| = 1; $num_tests = 8; print "1..$num_tests\n"; }
 END {print "not ok 1\n" unless $loaded;}
 use Net::Ping::External qw(ping);
 $loaded = 1;
@@ -24,7 +24,12 @@ $Net::Ping::External::DEBUG_OUTPUT = 1;
 	   3 => "ping(host => '127.0.0.1', timeout => 5)",
 	   4 => "ping(host => 'some.non.existent.host.')",
 	   5 => "ping(host => '127.0.0.1', count => 10)",
-	   6 => "ping(host => '127.0.0.1', size => 32)"
+	   6 => "ping(host