Front page | perl.qa |
Postings from September 2008
--- On Mon, 22/9/08, Shlomi Fish <shlomif@iglu.org.il> wrote: > http://rt.cpan.org/Ticket/Display.html?id=39516 > > Please don't keep it more public than it is already > until there's a good fix. Why not? I am completely at a loss here. You have not addressed the fundamental issue. If a malicious user has access to your box, how is this *remotely* an attractive target? Seriously, I want to understand this because clearly my admittedly poor knowledge of security is even poorer than I thought. Could you please explain how someone would really attack this? I understand your 'rm -fr $HOME' example, but you've not shown how someone could even come close to taking advantage of that race condition. First, you have to consider systems on which: * Perl is actively used * People using Perl use CPAN or CPANPLUS instead of installing directly. * Why a malicious attacker is willing to wait around for that infrequent usage * How they could conceivably exploit it Don't get me wrong. I acknowledge the race condition here, but we're talking about an IDIOT attacker going after something so ridiculously difficult to exploit in lieu of an incredibly target-rich field since you assume they have access to the box. Again, I know little about this issue, so your addressing those points would be helpful. Remember, in security, the most important things to address are those with a low cost to benefit ratio and I'm just not seeing that here. Cheers, Ovid -- Buy the book - http://www.oreilly.com/catalog/perlhks/ Tech blog - http://use.perl.org/~Ovid/journal/ Twitter - http://twitter.com/OvidPerl Official Perl 6 Wiki - http://www.perlfoundation.org/perl6Thread Previous | Thread Next