Version in base suite: 3.000003-3 Base version: libconfig-inifiles-perl_3.000003-3 Target version: libconfig-inifiles-perl_3.000003-3+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libc/libconfig-inifiles-perl/libconfig-inifiles-perl_3.000003-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libc/libconfig-inifiles-perl/libconfig-inifiles-perl_3.000003-3+deb13u1.dsc changelog | 7 +++ patches/CVE-2026-11527.patch | 96 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 104 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp_5swkzh9/libconfig-inifiles-perl_3.000003-3.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp_5swkzh9/libconfig-inifiles-perl_3.000003-3+deb13u1.dsc: no acceptable signature found diff -Nru libconfig-inifiles-perl-3.000003/debian/changelog libconfig-inifiles-perl-3.000003/debian/changelog --- libconfig-inifiles-perl-3.000003/debian/changelog 2024-08-02 09:36:20.000000000 +0000 +++ libconfig-inifiles-perl-3.000003/debian/changelog 2026-06-17 14:16:43.000000000 +0000 @@ -1,3 +1,10 @@ +libconfig-inifiles-perl (3.000003-3+deb13u1) trixie-security; urgency=high + + * Team upload. + * Add fix for CVE-2026-11527 (uses 2-arg open() in _make_filehandle) + + -- Salvatore Bonaccorso Wed, 17 Jun 2026 16:16:43 +0200 + libconfig-inifiles-perl (3.000003-3) unstable; urgency=medium * Include dpkg's default.mk for completeness diff -Nru libconfig-inifiles-perl-3.000003/debian/patches/CVE-2026-11527.patch libconfig-inifiles-perl-3.000003/debian/patches/CVE-2026-11527.patch --- libconfig-inifiles-perl-3.000003/debian/patches/CVE-2026-11527.patch 1970-01-01 00:00:00.000000000 +0000 +++ libconfig-inifiles-perl-3.000003/debian/patches/CVE-2026-11527.patch 2026-06-17 14:16:43.000000000 +0000 @@ -0,0 +1,96 @@ +From: Shlomi Fish +Date: Mon, 8 Jun 2026 18:40:35 +0300 +Subject: CVE-2026-11527 +Origin: https://github.com/shlomif/perl-Config-IniFiles/commit/3e48f9627fbba4dae5de35be1f735cdeb7e47fb8 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-11527 + +--- + lib/Config/IniFiles.pm | 5 +- + t/38security-open.t | 66 ++++++++++++++++++++++++++ + 2 files changed, 69 insertions(+), 2 deletions(-) + create mode 100644 config-inifiles/t/38security-open.t + +--- a/lib/Config/IniFiles.pm ++++ b/lib/Config/IniFiles.pm +@@ -2158,9 +2158,10 @@ sub _make_filehandle + my $fh = qualify_to_ref( $thing, caller(1) ); + return $fh if defined( fileno $fh ); + +- # otherwise treat it as a file to open ++ # otherwise treat it as a file to open; 3-arg open so the filename is ++ # not interpreted as a command or redirect + $fh = gensym; +- open( $fh, $thing ) || return; ++ open( $fh, '<', $thing ) || return; + + return $fh; + } # end _make_filehandle +--- /dev/null ++++ b/t/38security-open.t +@@ -0,0 +1,66 @@ ++#!/usr/bin/perl ++# Regression test for the 2-arg open() in _make_filehandle. ++# ++# _make_filehandle is the open path behind the -file argument (new -> ReadConfig ++# and WriteConfig both reach it). A 2-arg open() there interprets shell-magic ++# prefixes, so a "cmd |" filename runs a command and a "> file" filename ++# truncates a file. These must be treated as plain pathnames. ++ ++use strict; ++use warnings; ++ ++use Config::IniFiles; ++use File::Temp qw( tempdir ); ++use File::Spec; ++use Test::More tests => 5; ++ ++my $dir = tempdir( CLEANUP => 1 ); ++ ++# A trailing-pipe payload must not run a command. ++{ ++ my $marker = File::Spec->catfile( $dir, "pwned_read" ); ++ my $fh = eval { Config::IniFiles->_make_filehandle("touch $marker |") }; ++ close $fh if $fh; ++ ok !-e $marker, "trailing-pipe payload does not execute a command"; ++} ++ ++# A leading-pipe payload must not run a command. ++{ ++ my $marker = File::Spec->catfile( $dir, "pwned_write" ); ++ my $fh = eval { Config::IniFiles->_make_filehandle("| touch $marker") }; ++ close $fh if $fh; ++ ok !-e $marker, "leading-pipe payload does not execute a command"; ++} ++ ++# A redirect payload must not truncate a file. ++{ ++ my $victim = File::Spec->catfile( $dir, "victim" ); ++ open my $fh, ">", $victim or die "$victim: $!"; ++ print $fh "important data\n"; ++ close $fh; ++ my $made = eval { Config::IniFiles->_make_filehandle("> $victim") }; ++ close $made if $made; ++ is -s $victim, 15, "redirect payload does not truncate a file"; ++} ++ ++# A plain filename still opens as a file. ++{ ++ my $real = File::Spec->catfile( $dir, "real.txt" ); ++ open my $fh, ">", $real or die "$real: $!"; ++ print $fh "x\n"; ++ close $fh; ++ my $opened = eval { Config::IniFiles->_make_filehandle($real) }; ++ ok $opened, "plain filename still opens as a file"; ++} ++ ++# 2-arg open() silently trimmed surrounding whitespace (including a trailing ++# newline); 3-arg open treats the argument literally, so an un-chomped name no ++# longer opens the trimmed file. ++{ ++ my $real = File::Spec->catfile( $dir, "plain.txt" ); ++ open my $fh, ">", $real or die "$real: $!"; ++ print $fh "x\n"; ++ close $fh; ++ my $padded = eval { Config::IniFiles->_make_filehandle("$real\n") }; ++ ok !$padded, "trailing whitespace is significant (filename not trimmed)"; ++} diff -Nru libconfig-inifiles-perl-3.000003/debian/patches/series libconfig-inifiles-perl-3.000003/debian/patches/series --- libconfig-inifiles-perl-3.000003/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ libconfig-inifiles-perl-3.000003/debian/patches/series 2026-06-17 14:16:43.000000000 +0000 @@ -0,0 +1 @@ +CVE-2026-11527.patch