Version in base suite: 2.78-1 Base version: libgd-perl_2.78-1 Target version: libgd-perl_2.78-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libg/libgd-perl/libgd-perl_2.78-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libg/libgd-perl/libgd-perl_2.78-1+deb13u1.dsc changelog | 7 patches/Fix-CVE-2026-11526-command-injection-via-2-arg-open-.patch | 126 ++++++++++ patches/series | 1 3 files changed, 134 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpls9cdv6e/libgd-perl_2.78-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpls9cdv6e/libgd-perl_2.78-1+deb13u1.dsc: no acceptable signature found diff -Nru libgd-perl-2.78/debian/changelog libgd-perl-2.78/debian/changelog --- libgd-perl-2.78/debian/changelog 2023-11-02 15:59:39.000000000 +0000 +++ libgd-perl-2.78/debian/changelog 2026-06-12 19:59:30.000000000 +0000 @@ -1,3 +1,10 @@ +libgd-perl (2.78-1+deb13u1) trixie-security; urgency=high + + * Team upload. + * Fix CVE-2026-11526: command injection via 2-arg open() in _make_filehandle + + -- Salvatore Bonaccorso Fri, 12 Jun 2026 21:59:30 +0200 + libgd-perl (2.78-1) unstable; urgency=medium * Team upload. diff -Nru libgd-perl-2.78/debian/patches/Fix-CVE-2026-11526-command-injection-via-2-arg-open-.patch libgd-perl-2.78/debian/patches/Fix-CVE-2026-11526-command-injection-via-2-arg-open-.patch --- libgd-perl-2.78/debian/patches/Fix-CVE-2026-11526-command-injection-via-2-arg-open-.patch 1970-01-01 00:00:00.000000000 +0000 +++ libgd-perl-2.78/debian/patches/Fix-CVE-2026-11526-command-injection-via-2-arg-open-.patch 2026-06-12 19:59:30.000000000 +0000 @@ -0,0 +1,126 @@ +From: Paul Johnson +Date: Mon, 8 Jun 2026 18:00:00 +0200 +Subject: Fix CVE-2026-11526: command injection via 2-arg open() in + _make_filehandle +Origin: https://github.com/lstein/Perl-GD/commit/67b163713c6c78dfeb693da0978ae934e5cd8210 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-11526 + +Replace 2-arg open() with 3-arg open() so filenames beginning or ending +with shell-magic prefixes (|, >) are always treated as literal pathnames +rather than being interpreted as commands or redirects. + +CWE-78 (OS command injection, the pipe form) +CWE-73 (external control of file name or path, the redirect form) +Reported-by: Paul Johnson (CPANSec) +--- + MANIFEST | 1 + + lib/GD/Image.pm | 5 ++-- + lib/GD/Image_pm.PL | 5 ++-- + t/security_open.t | 61 ++++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 68 insertions(+), 4 deletions(-) + create mode 100644 t/security_open.t + +--- a/MANIFEST ++++ b/MANIFEST +@@ -38,6 +38,7 @@ t/HSV.t + t/Polyline.t + t/caller.t + t/fork.t ++t/security_open.t + t/test_data/Generic.ttf + t/test_data/frog.jpg + t/test_data/frog.xpm +--- a/lib/GD/Image.pm ++++ b/lib/GD/Image.pm +@@ -97,9 +97,10 @@ sub _make_filehandle { + } + return $fh if defined(fileno $fh); + +- # otherwise treat it as a file to open ++ # otherwise treat it as a file to open; 3-arg open so the filename is ++ # not interpreted as a command or redirect + $fh = gensym; +- if (!open($fh,$thing)) { ++ if (!open($fh,'<',$thing)) { + die "$thing not found: $!"; + return undef; + } +--- a/lib/GD/Image_pm.PL ++++ b/lib/GD/Image_pm.PL +@@ -126,9 +126,10 @@ sub _make_filehandle { + } + return $fh if defined(fileno $fh); + +- # otherwise treat it as a file to open ++ # otherwise treat it as a file to open; 3-arg open so the filename is ++ # not interpreted as a command or redirect + $fh = gensym; +- if (!open($fh,$thing)) { ++ if (!open($fh,'<',$thing)) { + die "$thing not found: $!"; + return undef; + } +--- /dev/null ++++ b/t/security_open.t +@@ -0,0 +1,61 @@ ++# _make_filehandle is the single open path for every filename constructor ++# (new, newFrom*). A 2-arg open() there interprets shell-magic prefixes, so a ++# "cmd |" filename runs a command and a "> file" filename truncates a file. ++# These must be treated as plain pathnames. ++use strict; ++use warnings; ++use GD; ++use File::Temp qw( tempdir ); ++use File::Spec; ++use Test::More tests => 5; ++ ++my $dir = tempdir(CLEANUP => 1); ++ ++# A trailing-pipe payload must not run a command. ++{ ++ my $marker = File::Spec->catfile($dir, "pwned_read"); ++ my $fh = eval { GD::Image->_make_filehandle("touch $marker |") }; ++ close $fh if $fh; ++ ok !-e $marker, "trailing-pipe payload does not execute a command"; ++} ++ ++# A leading-pipe payload must not run a command. ++{ ++ my $marker = File::Spec->catfile($dir, "pwned_write"); ++ my $fh = eval { GD::Image->_make_filehandle("| touch $marker") }; ++ close $fh if $fh; ++ ok !-e $marker, "leading-pipe payload does not execute a command"; ++} ++ ++# A redirect payload must not truncate a file. ++{ ++ my $victim = File::Spec->catfile($dir, "victim"); ++ open my $fh, ">", $victim or die "$victim: $!"; ++ print $fh "important data\n"; ++ close $fh; ++ my $made = eval { GD::Image->_make_filehandle("> $victim") }; ++ close $made if $made; ++ is -s $victim, 15, "redirect payload does not truncate a file"; ++} ++ ++# A plain filename still opens as a file. ++{ ++ my $real = File::Spec->catfile($dir, "real.txt"); ++ open my $fh, ">", $real or die "$real: $!"; ++ print $fh "x\n"; ++ close $fh; ++ my $opened = eval { GD::Image->_make_filehandle($real) }; ++ ok $opened, "plain filename still opens as a file"; ++} ++ ++# 2-arg open() silently trimmed surrounding whitespace (including a trailing ++# newline); 3-arg open treats the argument literally, so an un-chomped name no ++# longer opens the trimmed file. ++{ ++ my $real = File::Spec->catfile($dir, "plain.txt"); ++ open my $fh, ">", $real or die "$real: $!"; ++ print $fh "x\n"; ++ close $fh; ++ my $padded = eval { GD::Image->_make_filehandle("$real\n") }; ++ ok !$padded, "trailing whitespace is significant (filename not trimmed)"; ++} diff -Nru libgd-perl-2.78/debian/patches/series libgd-perl-2.78/debian/patches/series --- libgd-perl-2.78/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ libgd-perl-2.78/debian/patches/series 2026-06-12 19:59:30.000000000 +0000 @@ -0,0 +1 @@ +Fix-CVE-2026-11526-command-injection-via-2-arg-open-.patch