Bug#582978: perl: safe.pm code injection vulnerability
Niko Tyni
ntyni at debian.org
Tue May 25 19:53:56 UTC 2010
forcemerge 582978 582806
thanks
On Mon, May 24, 2010 at 08:36:39PM -0400, Michael Gilbert wrote:
> Package: perl
> Version: 5.10.1-12
> Severity: serious
> Tags: security
I'm not totally convinced about the severity but let's leave it at
'serious' for now.
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for perl.
>
> CVE-2010-1974[0]:
> | Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module
> | before 2.25 for Perl allow context-dependent attackers to inject and
> | execute arbitrary code via vectors related to "automagic methods."
> | NOTE: this might overlap CVE-2010-1169 or CVE-2010-1447.
> The current version of perl in unstable has safe.pm 2.18, so that just
> needs to be updated to version 2.25.
If this is indeed considered 'serious', we need targeted fixes for a
stable update as well. I'm rather concerned about possible regressions.
I'm currently trying to come up with some test cases so that I could
understand the risks better. Help would be welcome. I wasn't particularly
well acquaintanced with Safe before this.
Upstream is now at 2.27, which has further related changes and was also
bundled with Perl 5.12.1. However, it causes regressions in (at least)
libpetal-perl (#582805) and libtext-micromason-perl (#582892). These
two regressions don't happen with 2.25.
PostgreSQL has in the past used Safe.pm for its PL/perl extension, but
recently moved away from it, apparently due to CVE-2010-1169. Quoting
HISTORY in postgresql-8.4 (8.4.4-1):
Recent developments have convinced us that "Safe.pm" is too insecure
to rely on for making plperl trustable.
FWIW, there seems to be a general agreement that Safe.pm is a "failed
experiment".
http://www.nntp.perl.org/group/perl.perl5.porters/2010/03/msg158034.html
http://www.nntp.perl.org/group/perl.perl5.porters/2010/04/msg159471.html
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list