CVE-2026-8704 TIMLEGGE CVE debrief

Who should care

Organizations running Perl applications that use Crypt::DSA for DSA cryptographic operations, particularly those accepting user-supplied filenames for key storage or retrieval. System administrators maintaining Perl-based security infrastructure and developers of applications handling DSA keys through this module.

Technical summary

The Crypt::DSA Perl module through version 1.19 uses the two-argument form of Perl's open() function when handling DSA key files. This form is vulnerable to shell metacharacter injection, allowing an attacker to potentially modify existing files if untrusted input is used in filenames. The vulnerability is classified as CWE-552 (Files or Directories Accessible to External Parties). The fix in version 1.20 adopts the safer three-argument open() form, which prevents interpretation of shell metacharacters in the filename.

Defensive priority

medium

Recommended defensive actions

• Upgrade Crypt::DSA to version 1.20 or later, which replaces two-argument open() calls with three-argument form to prevent file modification via shell metacharacter injection
• Audit application code for any user-supplied filenames passed to Crypt::DSA key operations and validate or sanitize such inputs
• Review file permissions on directories where Crypt::DSA key files are stored to limit unauthorized write access
• Monitor for unexpected file modifications in directories used by Crypt::DSA for key storage
• Consider implementing additional input validation wrappers around Crypt::DSA operations if immediate upgrade is not feasible

Evidence notes

The vulnerability is documented in the Crypt-DSA 1.20 changelog and code diff showing the fix from two-argument to three-argument open() calls. The oss-security mailing list post provides additional context on the security implications.

Official resources