Front page | perl.perl5.porters |
Postings from March 2021
On Mon, Mar 1, 2021 at 8:45 AM Amir Naseredini <S.Naseredini@sussex.ac.uk> wrote: > Hello, > I hope you are safe and well. > > We want to responsibility disclose to you that in the process of > evaluating your product against Spectre attacks during our recent work, our > group was able to exploit a program interpreted with perl v5.30.0 and > extract secret data from it. > > Spectre exploits the mismatch between architectural and microarchitectural > states by mistraining branch predictors, so victim code (called gadget) > executes a mispredicted branch and then rolls back the architectural state. > in our attack written in C, the victim was written in Perl and compiled > with perl v5.30.0. > > We show in our work, that it is possible to develop Spectre attacks that > exploit the vulnerability in the program interpreted with perl v5.30.0. In > addition, we were not able to find any active mitigations in your product. > > Please feel free to contact us should you have any further questions or > concerns. We would also be happy to share the paper with you confidentially. > > Hello, Please see https://perldoc.perl.org/perlsecpolicy#REPORTING-SECURITY-ISSUES-IN-PERL for how to confidentially report details of security issues. Thanks for your effort. -DanThread Previous