Front page | perl.perl5.porters |
Postings from December 2017
I use the word "vulnerability" in quotes, because press releases to the contrary, I'm not convinced there's anything exploitable here. However, this is getting reported as a "severe vulnerability" by websites for reasons I don't understand. No one will be surprised that this was some conference-driven research with the hype that unfortunately accompanies it. Anyway, here's a link to the paper - https://www.blackhat.com/docs/eu-17/materials/eu-17-Arnaboldi-Exposing-Hidden-Exploitable-Behaviors-In-Programming-Languages-Using-Differential-Fuzzing-wp.pdf The one thing listed for Perl is that the ExtUtils::Typemaps::Cmd module's embeddable_typemap sub will eval anything you pass it in an attempt to load a module based on the strings it gets. This would only be a vulnerability if you wrote code that accepted arbitrary user input and passed it to that sub. But it's hard to imagine a case where that would happen. So I'd consider this a theoretical vulnerability at best. That said, patching this module to do some basic validation of the passed strings isn't a terrible idea. Cheers, Dave Rolsky http://blog.urth.org https://github.com/autarch