develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Jesse Luehrs
Date:
October 1, 2012 21:53
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
20121002045320.GF10026@tozt.net
On Tue, Oct 02, 2012 at 05:49:07AM +0200, Aristotle Pagaltzis wrote:
> * demerphq <demerphq@gmail.com> [2012-10-02 04:05]:
> > Perl never promised to save anyone from shooting their foot off, quite
> > the opposite. That is very different from someone diligent being
> > vulnerable because they use Perl due to a bug in Perl.
> >
> > So far you haven't shown the latter and this conversation sounds like
> > FUD motivated by the p5p community not doing what you want us to do.
> 
> So far I don’t see any security implications either. This seems like
> a case of Reini doing himself a disservice. Needlessly alarming rhetoric
> or not, see, I agree with him that syscalls shouldn’t be passed NULs.
> Sure, Perl enough rope to shoot yourself yada yada; but that applies to
> where Perl doesn’t keep you from doing stupid things because doing so
> would also keep you from doing clever things. In this case, which *are*
> the clever things you could be doing? Can you illustrate how this aspect
> of perl’s behaviour can be used fruitfully? Or is it just a (mostly
> harmless?) oddity that won’t get fixed simply because, well, it’s stupid
> and you’re allowed to do stupid things?
> 
> [Note I’m not (at this time) arguing about what action should be taken.
>  What I’m asking is only whether we agree on the principle.]

+1. This probably should be considered a bug, but there has not been
sufficient evidence that it is a security bug.

-doy

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About