Moritz Muehlenhoff wrote:
> Package: sudo
> Severity: important
> Tags: security
>
> Quoting from http://www.sudo.ws/sudo/alerts/perl_env.html :
> | The PERL5LIB and PERLLIB environment variables can be used to provide a
> list of
> | directories in which to look for perl library files before the system
> directories are
> | searched. It is similar in concept to the LD_LIBRARY_PATH environment
> variables, only for
> | perl. These variables are ignored if "tainting" is enabled (via the -T
> switch). The
> | PERL5OPT environment variable specifies additional command line options to
> be passed to
> | the script which may modify its behavior.
> |
> | Malicious users with sudo access to run a perl script can use these
> variables to include
> | and execute their own library file with the same name as a system library
> file that is
> | included (via the "use" or "require" directives) by the perl script run via
> sudo.
>
> It's been fixed upstream in 1.6.8p12.
This is true, but it becomes rediculous.
Maintaining a blacklist of environment variables it not a proper approach.
For Perl the above variables are dangerous.
For Python it's PYTHONPATH.
For TeX it's TEXINPUTS.
For Ruby it is...
For....
This list only ends after all languages were checked, and then starts
from the beginning, since probably new possibilities have been created
in the meantime.
Regards,
Joey
--
If nothing changes, everything will remain the same. -- Barne's Law
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
