develooper Front page | perl.perl5.porters | Postings from April 2015

Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness

Thread Next
From:
Dominic Hargreaves
Date:
April 11, 2015 15:09
Subject:
Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness
Message ID:
20150411150857.GC5148@urchin.earth.li
Control: tags -1 -security
Control: found -1 5.20.2-3

On Mon, Jan 26, 2015 at 12:20:40PM +0200, Niko Tyni wrote:
> On Mon, Jan 26, 2015 at 09:25:33AM +0200, Niko Tyni wrote:
> > On Sun, Jan 25, 2015 at 11:00:27PM -0500, Michael Gilbert wrote:
> > > package: src:perl
> > > severity: normal
> > > tags: security
> > > 
> > > Hi,
> > > 
> > > There was a CVE assigned to this issue a while ago with strangely
> > > enough no real details.  The only non-boilerplate information about it
> > > is at osvdb, but they don't provide any details that could be used to
> > > fix the issue:
> > > http://osvdb.org/show/osvdb/106565
> > 
> > By that description this seems to be a dup of #588017 
> > ("current directory in @INC potentially harmful")?
> 
> Apparently not, but rather the fact that
>  perl -e 'require ::foo'
> will try to load /foo.pm .
> 
> Florian Weimer has just asked for CVE-2012-3878 to be rejected
> as upstream decided it's not a vulnerability.
> 
>  http://www.openwall.com/lists/oss-security/2015/01/26/3
>  http://www.nntp.perl.org/group/perl.perl5.porters/2012/07/msg189909.html

Indeed; unsetting the security tag accordingly. I note that this issue,
if it is an issue, is still unresolved (the smoke-me/require branch
still exists unmerged).

I can't see any upstream bug about this; should there be or do people
think it's a complete non-bug?

Cheers,
Dominic.

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About