develooper Front page | perl.perl5.porters | Postings from September 2014

Re: fix for CVE-2014-4330 present in blead

Thread Previous | Thread Next
From:
demerphq
Date:
September 18, 2014 16:14
Subject:
Re: fix for CVE-2014-4330 present in blead
Message ID:
CANgJU+WcqFfnVzMSLGTUrWawb2YfozoAmPnvW4YmOO5x=19F=A@mail.gmail.com
On 18 September 2014 15:30, Father Chrysostomos <sprout@cpan.org> wrote:

> Ricardo Signes wrote:
> > I have just pushed up 19be3be6, which addresses CVE-2014-4330.
> >
> > CVE-2014-4330 reports a stack exhaustion bug in Data::Dumper, when it
> attempts
> > to recurse without limit.  The bug was reported by LSE Leading Security
> Experts
> > GmbH employee Markus Vervier.  The fix was written by Tony Cook.  By
> default,
> > Data::Dumper will now limit recursion to 1000 levels, but this can be
> > configured by $Maxrecurse.
> >
> > This patch has been pre-seeded to downstream vendors, who will apply it
> as they
> > see fit.  Expect a new release of Data::Dumper soon.
>
> Instead of changing the behaviour and setting the default to 1000
> whether the user asked for it or not, shouldn’t we instead have the
> XS implementation fall back to the Perl implementation if it reaches
> this limit?
>
>
Personally I would say no. If someone wanted to use the Pure Perl version
they would. Falling back to it IMO could make the use case worse.

Yves


-- 
perl -Mre=debug -e "/just|another|perl|hacker/"

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About