oss-sec mailing list archives

CVE-2011-10007: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name

From: Timothy Legge <timlegge () cpansec org>
Date: Thu, 05 Jun 2025 09:00:42 -0300

========================================================================
CVE-2011-10007                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2011-10007
  Distribution:  File-Find-Rule
      Versions:  through 0.34

      MetaCPAN:  https://metacpan.org/dist/File-Find-Rule
      VCS Repo:  https://github.com/richardc/perl-file-find-rule


File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code
Execution when `grep()` encounters a crafted file name

Description
-----------
File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code
Execution when `grep()` encounters a crafted filename.

A file handle is opened with the 2 argument form of `open()` allowing
an attacker controlled filename to provide the MODE parameter to
`open()`, turning the filename into a command to be executed.

Example:

$ mkdir /tmp/poc; echo > "/tmp/poc/|id"
$ perl -MFile::Find::Rule \
    -E 'File::Find::Rule->grep("foo")->in("/tmp/poc")'
uid=1000(user) gid=1000(user) groups=1000(user),100(users)

Problem types
-------------
- CWE-78 Improper Neutralization of Special Elements used in an OS
  Command ('OS Command Injection')

Solutions
---------
Users should update to a fixed version when available, or apply the
patch provided in the references section, or use a patched version
provided by their OS distribution


References
----------
https://metacpan.org/release/RCLAMP/File-Find-Rule-0.34/source/lib/File/Find/Rule.pm#L423
https://rt.cpan.org/Public/Bug/Display.html?id=64504
https://github.com/richardc/perl-file-find-rule/pull/4
https://github.com/richardc/perl-file-find-rule/commit/df58128bcee4c1da78c34d7f3fe1357e575ad56f.patch

Timeline
--------
- 2011-01-04: A bug was reported by Kevin Ryde to the upstream RT
  bugtracker described as "grep() can truncate files".
- 2025-06-04: CPANSec became aware of the bug and started triage. Code
  execution impact was confirmed, a patch was made, and the author, the
  distros list and additional downstream vendors were notified.

Attachment: 0001-Fix-CVE-2011-10007-for-File-Find-Rule.patch
Description:

Current thread:

CVE-2011-10007: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name Timothy Legge (Jun 05)
- Re: CVE-2011-10007: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name Sam James (Jun 05)
  - Re: CVE-2011-10007: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted file name Timothy Legge (Jun 05)