develooper Front page | perl.perl5.porters | Postings from December 2017

"Vulnerability" in Perl in the news

From:
Dave Rolsky
Date:
December 10, 2017 19:31
Subject:
"Vulnerability" in Perl in the news
Message ID:
CAHKw1M+jpWdZ_dq1bxhk5yoZ4zpxgdT6y4yV-Z2gp0q0chz31g@mail.gmail.com
I use the word "vulnerability" in quotes, because press releases to the
contrary, I'm not convinced there's anything exploitable here. However,
this is getting reported as a "severe vulnerability" by websites for
reasons I don't understand. No one will be surprised that this was some
conference-driven research with the hype that unfortunately accompanies it.

Anyway, here's a link to the paper -
https://www.blackhat.com/docs/eu-17/materials/eu-17-Arnaboldi-Exposing-Hidden-Exploitable-Behaviors-In-Programming-Languages-Using-Differential-Fuzzing-wp.pdf

The one thing listed for Perl is that the ExtUtils::Typemaps::Cmd module's
embeddable_typemap sub will eval anything you pass it in an attempt to load
a module based on the strings it gets.

This would only be a vulnerability if you wrote code that accepted
arbitrary user input and passed it to that sub. But it's hard to imagine a
case where that would happen.

So I'd consider this a theoretical vulnerability at best. That said,
patching this module to do some basic validation of the passed strings
isn't a terrible idea.


Cheers,

Dave Rolsky
http://blog.urth.org
https://github.com/autarch



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About