develooper Front page | perl.perl5.porters | Postings from March 2021

Re: Disclosing a Security Vulnerability in perl v5.30.0

Thread Previous
Dan Book
March 1, 2021 16:36
Re: Disclosing a Security Vulnerability in perl v5.30.0
Message ID:
On Mon, Mar 1, 2021 at 8:45 AM Amir Naseredini <>

> Hello,
> I hope you are safe and well.
> We want to responsibility disclose to you that in the process of
> evaluating your product against Spectre attacks during our recent work, our
> group was able to exploit a program interpreted with perl v5.30.0 and
> extract secret data from it.
> Spectre exploits the mismatch between architectural and microarchitectural
> states by mistraining branch predictors, so victim code (called gadget)
> executes a mispredicted branch and then rolls back the architectural state.
> in our attack written in C, the victim was written in Perl and compiled
> with perl v5.30.0.
> We show in our work, that it is possible to develop Spectre attacks that
> exploit the vulnerability in the program interpreted with perl v5.30.0. In
> addition, we were not able to find any active mitigations in your product.
> Please feel free to contact us should you have any further questions or
> concerns. We would also be happy to share the paper with you confidentially.

Please see
for how to confidentially report details of security issues. Thanks for
your effort.


Thread Previous Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About