Bug 1018805 (CVE-2013-6499)

Summary: CVE-2013-6499 perl-MP3-Info: loading a module relative to the cwd
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, psabata, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-14 11:31:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1189334, 1189335    
Bug Blocks:    

Description Murray McAllister 2013-10-14 12:42:33 UTC 
The MP3::Info module attempts to load and run a module relative to the current working directory. If a local user ran an application that uses MP3::Info in an attacker-controlled directory, it would lead to arbitrary code execution.
Comment 4 Kurt Seifried 2015-02-05 02:27:55 UTC 
Downgrading severity, this module is not widely used and requires significant attacker/victim interaction.
Comment 5 Kurt Seifried 2015-02-05 02:28:19 UTC 
Created perl-MP3-Info tracking bugs for this issue:

Affects: fedora-all [bug 1189334]
Affects: epel-5 [bug 1189335]
Comment 6 Petr Šabata 2015-02-11 15:06:28 UTC 
I checked the code of perl-MP3-Info and couldn't find any code doing what you describe.  There are no issues of such nature reported upstream either.

I would appreciate some more information on this matter as I can't see anything to fix here.
Comment 7 Petr Šabata 2015-05-14 11:31:21 UTC 
I believe this report is bogus.  Closing.