FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

p5-UI-Dialog -- shell command execution vulnerability

Affected packages
p5-UI-Dialog < 1.09_2


VuXML ID 00dadbf0-6f61-11e5-a2a1-002590263bf5
Discovery 2008-08-24
Entry 2015-10-10

Matthijs Kooijman reports:

It seems that the whiptail, cdialog and kdialog backends apply some improper escaping in their shell commands, causing special characters present in menu item titles to be interpreted by the shell. This includes the backtick evaluation operator, so this constitutes a security issue, allowing execution of arbitrary commands if an attacker has control over the text displayed in a menu.


CVE Name CVE-2008-7315
FreeBSD PR ports/203667