develooper Front page | perl.perl5.porters | Postings from September 2014

fix for CVE-2014-4330 present in blead

Thread Next
Ricardo Signes
September 18, 2014 13:25
fix for CVE-2014-4330 present in blead
Message ID:
I have just pushed up 19be3be6, which addresses CVE-2014-4330.

CVE-2014-4330 reports a stack exhaustion bug in Data::Dumper, when it attempts
to recurse without limit.  The bug was reported by LSE Leading Security Experts
GmbH employee Markus Vervier.  The fix was written by Tony Cook.  By default,
Data::Dumper will now limit recursion to 1000 levels, but this can be
configured by $Maxrecurse.

This patch has been pre-seeded to downstream vendors, who will apply it as they
see fit.  Expect a new release of Data::Dumper soon.

I believe the risk of any exploit arising from this bug to be quite low.


Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About