develooper Front page | perl.perl5.porters | Postings from September 2014

Re: fix for CVE-2014-4330 present in blead

Thread Previous | Thread Next
From:
Father Chrysostomos
Date:
September 18, 2014 13:30
Subject:
Re: fix for CVE-2014-4330 present in blead
Message ID:
20140918133018.20855.qmail@lists-nntp.develooper.com
Ricardo Signes wrote:
> I have just pushed up 19be3be6, which addresses CVE-2014-4330.
> 
> CVE-2014-4330 reports a stack exhaustion bug in Data::Dumper, when it attempts
> to recurse without limit.  The bug was reported by LSE Leading Security Experts
> GmbH employee Markus Vervier.  The fix was written by Tony Cook.  By default,
> Data::Dumper will now limit recursion to 1000 levels, but this can be
> configured by $Maxrecurse.
> 
> This patch has been pre-seeded to downstream vendors, who will apply it as they
> see fit.  Expect a new release of Data::Dumper soon.

Instead of changing the behaviour and setting the default to 1000
whether the user asked for it or not, shouldn’t we instead have the
XS implementation fall back to the Perl implementation if it reaches
this limit?


Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About