Bug#588017: perl: current directory in @INC potentially harmful
Eugene V. Lyubimkin
jackyf at debian.org
Sun Jul 4 17:34:35 UTC 2010
package perl
severity 588017 normal
thanks
Hi Ansgar,
Ansgar Burchardt wrote:
> perl includes the current directory as the last element in @INC when not
> running in taint mode (-T). As many modules try to load other modules
> that may or may not be installed, this can result in code execution.
For first, I don't believe this is a bug at all. I even used it for debugging
some code as a feature. It's not about using arbitrary code - it's about using
a code from a directory, that user (or administrator) has a write access to
and therefore directly or indirectly moved the code to that place.
I set the severity of the bug to 'normal' for now I leave the final word for
Niko Tyni and/or security team.
--
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
C++/Perl developer, Debian Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/perl-maintainers/attachments/20100704/44d16f08/attachment.pgp>
More information about the Perl-maintainers
mailing list