Bug#582978: perl: safe.pm code injection vulnerability
On Tue, May 25, 2010 at 10:53:56PM +0300, Niko Tyni wrote: CVE-2010-1974[0]: | Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module | before 2.25 for Perl allow context-dependent attackers to inject and | execute arbitrary code via vectors related to automagic methods. | NOTE: this might overlap CVE-2010-1169 or CVE-2010-1447. The current version of perl in unstable has safe.pm 2.18, so that just needs to be updated to version 2.25. If this is indeed considered 'serious', we need targeted fixes for a stable update as well. I'm rather concerned about possible regressions. I'm currently trying to come up with some test cases so that I could understand the risks better. Help would be welcome. I wasn't particularly well acquaintanced with Safe before this. While I haven't had the time for this (and won't have before the next week), I think the right thing to do here is indeed to update the sid version to 2.25 (but not 2.27, which is a more intrusive change) as upstream clearly recommends that in http://blogs.perl.org/users/rafael_garcia-suarez/2010/03/new-safepm-fixes-security-hole.html I'm still a bit worried about regressions, so I'm not going to do this in a separate urgency bumped upload, but rather include it with other accumulated bug fixes. I'm deliberately ignoring stable for the moment until I find the time to delve into this properly. -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#582978: perl: safe.pm code injection vulnerability
forcemerge 582978 582806 thanks On Mon, May 24, 2010 at 08:36:39PM -0400, Michael Gilbert wrote: Package: perl Version: 5.10.1-12 Severity: serious Tags: security I'm not totally convinced about the severity but let's leave it at 'serious' for now. The following CVE (Common Vulnerabilities Exposures) id was published for perl. CVE-2010-1974[0]: | Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module | before 2.25 for Perl allow context-dependent attackers to inject and | execute arbitrary code via vectors related to automagic methods. | NOTE: this might overlap CVE-2010-1169 or CVE-2010-1447. The current version of perl in unstable has safe.pm 2.18, so that just needs to be updated to version 2.25. If this is indeed considered 'serious', we need targeted fixes for a stable update as well. I'm rather concerned about possible regressions. I'm currently trying to come up with some test cases so that I could understand the risks better. Help would be welcome. I wasn't particularly well acquaintanced with Safe before this. Upstream is now at 2.27, which has further related changes and was also bundled with Perl 5.12.1. However, it causes regressions in (at least) libpetal-perl (#582805) and libtext-micromason-perl (#582892). These two regressions don't happen with 2.25. PostgreSQL has in the past used Safe.pm for its PL/perl extension, but recently moved away from it, apparently due to CVE-2010-1169. Quoting HISTORY in postgresql-8.4 (8.4.4-1): Recent developments have convinced us that Safe.pm is too insecure to rely on for making plperl trustable. FWIW, there seems to be a general agreement that Safe.pm is a failed experiment. http://www.nntp.perl.org/group/perl.perl5.porters/2010/03/msg158034.html http://www.nntp.perl.org/group/perl.perl5.porters/2010/04/msg159471.html -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#582978: perl: safe.pm code injection vulnerability
Processing commands for cont...@bugs.debian.org: forcemerge 582978 582806 Bug#582978: perl: safe.pm code injection vulnerability Bug#582806: perl: CVE-2010-1974: multiple unspecified vulnerabilities in Safe Forcibly Merged 582806 582978. thanks Stopping processing here. Please contact me if you need assistance. -- 582806: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582806 582978: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=582978 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#582978: perl: safe.pm code injection vulnerability
Package: perl Version: 5.10.1-12 Severity: serious Tags: security Hi, The following CVE (Common Vulnerabilities Exposures) id was published for perl. CVE-2010-1974[0]: | Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module | before 2.25 for Perl allow context-dependent attackers to inject and | execute arbitrary code via vectors related to automagic methods. | NOTE: this might overlap CVE-2010-1169 or CVE-2010-1447. The current version of perl in unstable has safe.pm 2.18, so that just needs to be updated to version 2.25. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1974 http://security-tracker.debian.org/tracker/CVE-2010-1974 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org