develooper Front page | perl.perl5.porters | Postings from January 2018

Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness

Thread Previous | Thread Next
From:
Salvatore Bonaccorso
Date:
January 31, 2018 09:11
Subject:
Re: Bug#776270: perl: CVE-2012-3878 module loading security weakness
Message ID:
20180131091057.GA10219@lorien.valinor.li
On Sat, Apr 11, 2015 at 04:08:57PM +0100, Dominic Hargreaves wrote:
> Control: tags -1 -security
> Control: found -1 5.20.2-3
> 
> On Mon, Jan 26, 2015 at 12:20:40PM +0200, Niko Tyni wrote:
> > On Mon, Jan 26, 2015 at 09:25:33AM +0200, Niko Tyni wrote:
> > > On Sun, Jan 25, 2015 at 11:00:27PM -0500, Michael Gilbert wrote:
> > > > package: src:perl
> > > > severity: normal
> > > > tags: security
> > > > 
> > > > Hi,
> > > > 
> > > > There was a CVE assigned to this issue a while ago with strangely
> > > > enough no real details.  The only non-boilerplate information about it
> > > > is at osvdb, but they don't provide any details that could be used to
> > > > fix the issue:
> > > > http://osvdb.org/show/osvdb/106565
> > > 
> > > By that description this seems to be a dup of #588017 
> > > ("current directory in @INC potentially harmful")?
> > 
> > Apparently not, but rather the fact that
> >  perl -e 'require ::foo'
> > will try to load /foo.pm .
> > 
> > Florian Weimer has just asked for CVE-2012-3878 to be rejected
> > as upstream decided it's not a vulnerability.
> > 
> >  http://www.openwall.com/lists/oss-security/2015/01/26/3
> >  http://www.nntp.perl.org/group/perl.perl5.porters/2012/07/msg189909.html
> 
> Indeed; unsetting the security tag accordingly. I note that this issue,
> if it is an issue, is still unresolved (the smoke-me/require branch
> still exists unmerged).
> 
> I can't see any upstream bug about this; should there be or do people
> think it's a complete non-bug?

For the record: the CVE has been REJECTED.

Regards,
Salvatore

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About