develooper Front page | perl.perl5.porters | Postings from September 2014

fix for CVE-2014-4330 present in blead

Thread Next
From:
Ricardo Signes
Date:
September 18, 2014 13:25
Subject:
fix for CVE-2014-4330 present in blead
Message ID:
20140918132525.GA8867@cancer.codesimply.com
I have just pushed up 19be3be6, which addresses CVE-2014-4330.

CVE-2014-4330 reports a stack exhaustion bug in Data::Dumper, when it attempts
to recurse without limit.  The bug was reported by LSE Leading Security Experts
GmbH employee Markus Vervier.  The fix was written by Tony Cook.  By default,
Data::Dumper will now limit recursion to 1000 levels, but this can be
configured by $Maxrecurse.

This patch has been pre-seeded to downstream vendors, who will apply it as they
see fit.  Expect a new release of Data::Dumper soon.

I believe the risk of any exploit arising from this bug to be quite low.

-- 
rjbs
Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About