develooper Front page | perl.perl5.porters | Postings from December 2017

"Vulnerability" in Perl in the news

Dave Rolsky
December 10, 2017 19:31
"Vulnerability" in Perl in the news
Message ID:
I use the word "vulnerability" in quotes, because press releases to the
contrary, I'm not convinced there's anything exploitable here. However,
this is getting reported as a "severe vulnerability" by websites for
reasons I don't understand. No one will be surprised that this was some
conference-driven research with the hype that unfortunately accompanies it.

Anyway, here's a link to the paper -

The one thing listed for Perl is that the ExtUtils::Typemaps::Cmd module's
embeddable_typemap sub will eval anything you pass it in an attempt to load
a module based on the strings it gets.

This would only be a vulnerability if you wrote code that accepted
arbitrary user input and passed it to that sub. But it's hard to imagine a
case where that would happen.

So I'd consider this a theoretical vulnerability at best. That said,
patching this module to do some basic validation of the passed strings
isn't a terrible idea.


Dave Rolsky Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About