develooper Front page | perl.perl5.porters | Postings from September 2002

[perl #17698] Consultation required on possible Perl security issue

Thread Next
Steve Christey
September 30, 2002 21:04
[perl #17698] Consultation required on possible Perl security issue
Message ID:
# New Ticket Created by  Steve Christey 
# Please include the string:  [perl #17698]
# in the subject line of all future correspondence about this issue. 
# <URL: >


I am a computer security researcher.  I have recently found some ways
that programmers could misuse certain Perl functions with potential
security implications (no, not the same old open() or system()

However, there is a possibility that there are security-related bugs
in Perl itself, including a potential bug in the taint checker.  I
would like to consult with someone to confirm this issue.

Because I don't know who is going to see this email, I am omitting
details until I hear from someone.  However, one vulnerability
researcher has already alluded to the type of problem I am discussing,
so the issue is at least partially public.

The Responsible Vulnerability Disclosure Process guidelines [1]
suggest that a vendor or developer should respond to an initial
security vulnerability report within 7 days.  I hope to hear from you
within that time frame.


Steve Christey
Principal Information Security Engineer
The MITRE Corporation


Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About