develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Jesse Luehrs
Date:
October 1, 2012 17:11
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
20121002001123.GD10026@tozt.net
On Mon, Oct 01, 2012 at 07:01:56PM -0500, Reini Urban wrote:
> On Mon, Oct 1, 2012 at 6:10 PM, demerphq <demerphq@gmail.com> wrote:
> > I hope that anyone reading this thread understands that you have not
> > substantiated your claims and that until you do anything you say
> > should be taken to be FUD.
> 
> This is a worthless discussion. Most of my security fixes were applied by
> the respective authors sooner or later already. Not FUD.
> Most of them just too late for the 5.16.0 release.
> 
> It just needed about 6 months to acknowledge most issues.
> Problem is that most authors do understand the issues, just p5p and
> the security
> list not. Which makes me wonder.
> 
> And as I said, it will need about 2 years to acknowledge the \0 issue,
> the new shiny binary-safe parser and vm.
> And the author understood this very issue. I talked to him at YAPC Madison.

Just because your patches were applied doesn't mean that they were
*security* bugs. I agree that it's probably a bug that 'require
"foo.pl\0bar"' sets $INC{"foo.pl\0bar"} instead of $INC{"foo.pl"}, and I
think it probably should be fixed, but I still haven't seen any evidence
that this is a *security* bug. There is a difference.

-doy

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About