Bug#582978: perl: safe.pm code injection vulnerability
Niko Tyni
ntyni at debian.org
Fri May 28 09:26:35 UTC 2010
On Tue, May 25, 2010 at 10:53:56PM +0300, Niko Tyni wrote:
> > CVE-2010-1974[0]:
> > | Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module
> > | before 2.25 for Perl allow context-dependent attackers to inject and
> > | execute arbitrary code via vectors related to "automagic methods."
> > | NOTE: this might overlap CVE-2010-1169 or CVE-2010-1447.
>
> > The current version of perl in unstable has safe.pm 2.18, so that just
> > needs to be updated to version 2.25.
>
> If this is indeed considered 'serious', we need targeted fixes for a
> stable update as well. I'm rather concerned about possible regressions.
>
> I'm currently trying to come up with some test cases so that I could
> understand the risks better. Help would be welcome. I wasn't particularly
> well acquaintanced with Safe before this.
While I haven't had the time for this (and won't have before the next
week), I think the right thing to do here is indeed to update the sid
version to 2.25 (but not 2.27, which is a more intrusive change) as
upstream clearly recommends that in
http://blogs.perl.org/users/rafael_garcia-suarez/2010/03/new-safepm-fixes-security-hole.html
I'm still a bit worried about regressions, so I'm not going to do this
in a separate urgency bumped upload, but rather include it with other
accumulated bug fixes.
I'm deliberately ignoring stable for the moment until I find the time
to delve into this properly.
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list