develooper Front page | perl.perl5.porters | Postings from September 2002

[perl #17698] Consultation required on possible Perl security issue

Thread Next
From:
Steve Christey
Date:
September 30, 2002 21:04
Subject:
[perl #17698] Consultation required on possible Perl security issue
Message ID:
rt-17698-38985.1.4715474609234@bugs6.perl.org
# New Ticket Created by  Steve Christey 
# Please include the string:  [perl #17698]
# in the subject line of all future correspondence about this issue. 
# <URL: http://rt.perl.org/rt2/Ticket/Display.html?id=17698 >



Hello,

I am a computer security researcher.  I have recently found some ways
that programmers could misuse certain Perl functions with potential
security implications (no, not the same old open() or system()
problems).

However, there is a possibility that there are security-related bugs
in Perl itself, including a potential bug in the taint checker.  I
would like to consult with someone to confirm this issue.

Because I don't know who is going to see this email, I am omitting
details until I hear from someone.  However, one vulnerability
researcher has already alluded to the type of problem I am discussing,
so the issue is at least partially public.

The Responsible Vulnerability Disclosure Process guidelines [1]
suggest that a vendor or developer should respond to an initial
security vulnerability report within 7 days.  I hope to hear from you
within that time frame.


Regards,

Steve Christey
Principal Information Security Engineer
The MITRE Corporation

[1] http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt



Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About