Commit Graph

4 Commits

Author SHA1 Message Date
Jitka Plesnikova
1dba614caa Fix CVE-2026-8450: send_file() RCE via 2-arg open() shell-magic
Backport upstream fix (commit 945d3514) for CVE-2026-8450 to
perl-HTTP-Daemon 6.01. The send_file() method in
HTTP::Daemon::ClientConn used the insecure 2-argument form of
open(), which allowed shell-magic interpretation of filenames
(pipe commands, redirections, etc.). The fix switches to
3-argument open() with an explicit '<' mode, replacing the
typeglob with a lexical filehandle. Additional hardening
includes proper binmode() failure handling and a '0E0'
true-zero return for empty successful transfers.

CVE: CVE-2026-8450
Upstream patches:
 - 945d35141d.patch
Resolves: RHEL-184828
2026-06-19 06:59:51 +02:00
Adam Samalik
cd8a0313e0 re-import sources as agreed with the maintainer 2023-06-30 07:43:02 +02:00
James Antill
5984594830 Import rpm: 570096e5fc15e65be75bba7681557cdc44a7c076 2023-02-23 23:31:56 -05:00
James Antill
7983cb12d2 Import rpm: c8s-stream-6.34 2023-02-22 10:59:55 -05:00