develooper Front page | perl.perl5.porters | Postings from September 2015

Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness

Thread Previous | Thread Next
From:
Dave Mitchell
Date:
September 24, 2015 12:38
Subject:
Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness
Message ID:
20150924123810.GE16789@iabyn.com
On Sat, Apr 11, 2015 at 04:08:57PM +0100, Dominic Hargreaves wrote:
> Control: tags -1 -security
> Control: found -1 5.20.2-3
> 
> On Mon, Jan 26, 2015 at 12:20:40PM +0200, Niko Tyni wrote:
> > On Mon, Jan 26, 2015 at 09:25:33AM +0200, Niko Tyni wrote:
> > > On Sun, Jan 25, 2015 at 11:00:27PM -0500, Michael Gilbert wrote:
> > > > package: src:perl
> > > > severity: normal
> > > > tags: security
> > > > 
> > > > Hi,
> > > > 
> > > > There was a CVE assigned to this issue a while ago with strangely
> > > > enough no real details.  The only non-boilerplate information about it
> > > > is at osvdb, but they don't provide any details that could be used to
> > > > fix the issue:
> > > > http://osvdb.org/show/osvdb/106565
> > > 
> > > By that description this seems to be a dup of #588017 
> > > ("current directory in @INC potentially harmful")?
> > 
> > Apparently not, but rather the fact that
> >  perl -e 'require ::foo'
> > will try to load /foo.pm .
> > 
> > Florian Weimer has just asked for CVE-2012-3878 to be rejected
> > as upstream decided it's not a vulnerability.
> > 
> >  http://www.openwall.com/lists/oss-security/2015/01/26/3
> >  http://www.nntp.perl.org/group/perl.perl5.porters/2012/07/msg189909.html
> 
> Indeed; unsetting the security tag accordingly. I note that this issue,
> if it is an issue, is still unresolved (the smoke-me/require branch
> still exists unmerged).
> 
> I can't see any upstream bug about this; should there be or do people
> think it's a complete non-bug?

Well,

    bleadperl -e'require ::Foo'
    
still ignores @INC and tries to load /foo.pm, so I'd say it's still a bug
that needs fixing. Some of the commits from Nicholas's smoke-me/require
branch appear to have made it into blead, but not the one(s) which from
their description(s), appear to fix this.

Nicholas, do you know what the status of your branch is?


-- 
Indomitable in retreat, invincible in advance, insufferable in victory
    -- Churchill on Montgomery

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About