|
|
Message-Id: <08ED9A58-8DEB-4DB3-9912-703497E2AB80@stig.io>
Date: Wed, 8 Jul 2026 16:00:32 +0100
From: Stig Palmquist <stig@...g.io>
To: cve-announce@...urity.metacpan.org,
oss-security@...ts.openwall.com
Subject: CVE-2026-49147: App::Ack versions through 3.10.0 for Perl print
unsanitised terminal escape sequences from filenames in several output modes
========================================================================
CVE-2026-49147 CPAN Security Group
========================================================================
CVE ID: CVE-2026-49147
Distribution: ack
Versions: through 3.10.0
MetaCPAN: https://metacpan.org/dist/ack
VCS Repo: https://github.com/beyondgrep/ack3
App::Ack versions through 3.10.0 for Perl print unsanitised terminal
escape sequences from filenames in several output modes
Description
-----------
App::Ack versions through 3.10.0 for Perl print unsanitised terminal
escape sequences from filenames in several output modes.
When ack prints a filename whose basename contains terminal control
bytes such as ANSI escape sequences, those bytes reach the terminal
unchanged. Version 3.10.0 added a _safe_filename helper that sanitises
the filenames printed by -f, -g, the colored match heading, and
per-match lines, but the --show-types, -l/-L, and -c paths still emit
the raw filename.
A file whose name embeds cursor-movement or color escapes can overwrite
or recolor earlier terminal output, or be passed unchanged to a
downstream consumer.
Problem types
-------------
- CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences
Workarounds
-----------
Pipe ack output through a filter that strips terminal control
characters when running ack over untrusted filenames.
Solutions
---------
Upgrade to a future ack release.
References
----------
https://metacpan.org/release/PETDANCE/ack-v3.10.0/source/Changes
Timeline
--------
- 2026-06-07: Version 3.10.0 released with partial fix for most output
paths.
Credits
-------
MichaĆ Majchrowicz (AFINE), finder
Marcin Wyczechowski (AFINE), finder
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.