Bug#776270: perl: CVE-2012-3878 module loading security weakness
Niko Tyni
ntyni at debian.org
Mon Jan 26 10:20:40 UTC 2015
On Mon, Jan 26, 2015 at 09:25:33AM +0200, Niko Tyni wrote:
> On Sun, Jan 25, 2015 at 11:00:27PM -0500, Michael Gilbert wrote:
> > package: src:perl
> > severity: normal
> > tags: security
> >
> > Hi,
> >
> > There was a CVE assigned to this issue a while ago with strangely
> > enough no real details. The only non-boilerplate information about it
> > is at osvdb, but they don't provide any details that could be used to
> > fix the issue:
> > http://osvdb.org/show/osvdb/106565
>
> By that description this seems to be a dup of #588017
> ("current directory in @INC potentially harmful")?
Apparently not, but rather the fact that
perl -e 'require ::foo'
will try to load /foo.pm .
Florian Weimer has just asked for CVE-2012-3878 to be rejected
as upstream decided it's not a vulnerability.
http://www.openwall.com/lists/oss-security/2015/01/26/3
http://www.nntp.perl.org/group/perl.perl5.porters/2012/07/msg189909.html
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list