develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
Reini Urban
October 1, 2012 18:30
Re: Security Issues in perl-5.16.x
Message ID:
On Mon, Oct 1, 2012 at 8:17 PM, Aristotle Pagaltzis <> wrote:
> * demerphq <> [2012-10-02 01:15]:
>> Which module is that? Please start substantiating your accusations or
>> stop spreading FUD.
>> Seriously Reini, a lot of people have spent a lot of time looking into
>> and discussing the issues you raise and we have in the past asked
>> questions to substantiate your claims and gotten very little back to
>> work with.
> From the perspective of someone who is not on the perlsec list, this
> entire conversation is completely useless – all I can see is mutual
> finger-pointing and “you don’t get it” vs “you don’t know what you’re
> talking about” with no facts on which to evaluate these claims.

Aristotle: I already disclosed all the bugs pointed out to the sec list.
6 of 8 were fixed already.
I haven't added a ticket for checking \0 in the middle of stringified names
but posted it on p5p, and the same for require not checking for \0 in

The last two were outlined as FUD, which I do not accept, unless
someone can persuade me.
All this discussion was public on p5p.
Chip threatened to fork perl if \0 in names were disallowed, which I
found amusing.
I think he wanted to keep \0 at the end, because they do not much
harm. I meant \0 in the middle.

The seclist discussion is over already, as those issues have been
fixed. They were also
outlined as FUD which I also refuse to accept, as they were simple
problems already fixed.
Just not fast enough for the release.
Reini Urban

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About