develooper Front page | perl.perl5.porters | Postings from March 2016

CVE-2016-2381: duplicate environment variables

From:
Ricardo Signes
Date:
March 1, 2016 12:39
Subject:
CVE-2016-2381: duplicate environment variables
Message ID:
20160301123906.GA5373@debian
Today, I pushed ae37b791 and matching patches to blead, maint-5.22, and
maint-5.20.  These address a problem that has been assigned CVE-2016-2381.

Prior to this patch, when an environment variable "X" appears multiple times in
envp, perl could return different values for $ENV{"X"} than that provided by
getenv("X").  Further, subprocessses could inherit surprising environment
variables because of this.

This problem was originally reported by Stephane Chazelas.

-- 
rjbs



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About