File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted filename. A file handle is opened with the 2 argument form of `open()` allowing an attacker controlled filename to provide the MODE parameter to `open()`, turning the filename into a command to be executed. Example: $ mkdir /tmp/poc; echo > "/tmp/poc/|id" $ perl -MFile::Find::Rule \ -E 'File::Find::Rule->grep("foo")->in("/tmp/poc")' uid=1000(user) gid=1000(user) groups=1000(user),100(users)
Upstream fix <https://github.com/richardc/perl-file-find-rule/pull/4>, allegedly included in new 0.35 version.
FEDORA-EPEL-2025-9dcb1aae07 (perl-File-Find-Rule-0.35-1.el10_1) has been pushed to the Fedora EPEL 10.1 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2025-0d08cf47ee (perl-File-Find-Rule-0.35-1.el10_0) has been pushed to the Fedora EPEL 10.0 stable repository. If problem still persists, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:9517 https://access.redhat.com/errata/RHSA-2025:9517
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:9605 https://access.redhat.com/errata/RHSA-2025:9605
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:9658 https://access.redhat.com/errata/RHSA-2025:9658
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:9740 https://access.redhat.com/errata/RHSA-2025:9740
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:9741 https://access.redhat.com/errata/RHSA-2025:9741