It was reported that File::Spec::canonpath() routine returns untainted strings even if passed tainted input. This defect undermines the guarantee of taint propagation, which is sometimes used to ensure that unvalidated user input does not reach sensitive code. This issue affects versions of PathTools from 3.47 onwards and/or perl 5.20.0.
Created attachment 1108268 [details]
Created attachment 1108269 [details]
Patch - version correction
Red Hat would like to thank upstream developer Ricardo Signes for reporting this issue. Upstream acknowledges David Golden of MongoDB as the original reporter.
Created perl-PathTools tracking bugs for this issue:
Affects: fedora-all [bug 1297486]
Upstream bug: https://rt.perl.org/Public/Bug/Display.html?id=126862
perl-PathTools-3.60-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
perl-PathTools-3.47-312.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.