develooper Front page | perl.perl5.porters | Postings from September 2012

Re: Re: Use Module::Load More Pervasively (was Re: Re: Taking CPANPLUS out of core)

Thread Previous | Thread Next
From:
chromatic
Date:
September 29, 2012 12:40
Subject:
Re: Re: Use Module::Load More Pervasively (was Re: Re: Taking CPANPLUS out of core)
Message ID:
2152786.1ePJRoPCnv@innerwheel
On Saturday, September 29, 2012 07:14:01 PM Leon Timmermans wrote:

> Yeah. Digest had a serious CVE last year because of this
> (CVE-2011-3597). The "require $module" idiom can easily escalate a
> small validation issue into run-any-code-you-want.

I've already sent in a patch for one (non core) module in which you can set an 
environment variable and run arbitrary code. In a quick review of bleadperl I 
haven't found any vulnerabilities quite that serious, but I did find a couple 
of suspicious places.

What's the best way to handle this?

-- c

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About