develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
Jesse Luehrs
October 1, 2012 17:11
Re: Security Issues in perl-5.16.x
Message ID:
On Mon, Oct 01, 2012 at 07:01:56PM -0500, Reini Urban wrote:
> On Mon, Oct 1, 2012 at 6:10 PM, demerphq <> wrote:
> > I hope that anyone reading this thread understands that you have not
> > substantiated your claims and that until you do anything you say
> > should be taken to be FUD.
> This is a worthless discussion. Most of my security fixes were applied by
> the respective authors sooner or later already. Not FUD.
> Most of them just too late for the 5.16.0 release.
> It just needed about 6 months to acknowledge most issues.
> Problem is that most authors do understand the issues, just p5p and
> the security
> list not. Which makes me wonder.
> And as I said, it will need about 2 years to acknowledge the \0 issue,
> the new shiny binary-safe parser and vm.
> And the author understood this very issue. I talked to him at YAPC Madison.

Just because your patches were applied doesn't mean that they were
*security* bugs. I agree that it's probably a bug that 'require
"\0bar"' sets $INC{"\0bar"} instead of $INC{""}, and I
think it probably should be fixed, but I still haven't seen any evidence
that this is a *security* bug. There is a difference.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About