forcemerge 582978 582806
On Mon, May 24, 2010 at 08:36:39PM -0400, Michael Gilbert wrote:
> Package: perl
> Version: 5.10.1-12
> Severity: serious
> Tags: security
I'm not totally convinced about the severity but let's leave it at
'serious' for now.
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for perl.
> | Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module
> | before 2.25 for Perl allow context-dependent attackers to inject and
> | execute arbitrary code via vectors related to "automagic methods."
> | NOTE: this might overlap CVE-2010-1169 or CVE-2010-1447.
> The current version of perl in unstable has safe.pm 2.18, so that just
> needs to be updated to version 2.25.
If this is indeed considered 'serious', we need targeted fixes for a
stable update as well. I'm rather concerned about possible regressions.
I'm currently trying to come up with some test cases so that I could
understand the risks better. Help would be welcome. I wasn't particularly
well acquaintanced with Safe before this.
Upstream is now at 2.27, which has further related changes and was also
bundled with Perl 5.12.1. However, it causes regressions in (at least)
libpetal-perl (#582805) and libtext-micromason-perl (#582892). These
two regressions don't happen with 2.25.
PostgreSQL has in the past used Safe.pm for its PL/perl extension, but
recently moved away from it, apparently due to CVE-2010-1169. Quoting
HISTORY in postgresql-8.4 (8.4.4-1):
Recent developments have convinced us that "Safe.pm" is too insecure
to rely on for making plperl trustable.
FWIW, there seems to be a general agreement that Safe.pm is a "failed
Niko Tyni nt...@debian.org
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org