Bug#588017: perl: current directory in @INC potentially harmful
Ansgar Burchardt
ansgar at 2008.43-1.org
Sun Jul 4 05:16:20 UTC 2010
Package: perl
Version: 5.10.1-13
Severity: grave
Tags: security
Hi,
perl includes the current directory as the last element in @INC when not
running in taint mode (-T). As many modules try to load other modules
that may or may not be installed, this can result in code execution.
Example:
libtext-csv-perl is installed, libtext-csv-xs-perl is not installed.
When running "perl -mText::CSV" (or running any program using Text::CSV)
the file ./Text/CSV_XS.pm is loaded and the contained code executed.
Other examples include libjson-perl recommending libjson-xs-perl and
libyaml-perl recommending libyaml-syck-perl.
Regards,
Ansgar
More information about the Perl-maintainers
mailing list