develooper Front page | perl.perl5.porters | Postings from March 2016

CVE-2016-2381: duplicate environment variables

Ricardo Signes
March 1, 2016 12:39
CVE-2016-2381: duplicate environment variables
Message ID:
Today, I pushed ae37b791 and matching patches to blead, maint-5.22, and
maint-5.20.  These address a problem that has been assigned CVE-2016-2381.

Prior to this patch, when an environment variable "X" appears multiple times in
envp, perl could return different values for $ENV{"X"} than that provided by
getenv("X").  Further, subprocessses could inherit surprising environment
variables because of this.

This problem was originally reported by Stephane Chazelas.

rjbs Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About