forcemerge 582978 582806

On Mon, May 24, 2010 at 08:36:39PM -0400, Michael Gilbert wrote:
> Package: perl
> Version: 5.10.1-12
> Severity: serious
> Tags: security

I'm not totally convinced about the severity but let's leave it at
'serious' for now.
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for perl.
> CVE-2010-1974[0]:
> | Multiple unspecified vulnerabilities in the Safe (aka module
> | before 2.25 for Perl allow context-dependent attackers to inject and
> | execute arbitrary code via vectors related to "automagic methods."
> | NOTE: this might overlap CVE-2010-1169 or CVE-2010-1447.

> The current version of perl in unstable has 2.18, so that just
> needs to be updated to version 2.25.

If this is indeed considered 'serious', we need targeted fixes for a
stable update as well. I'm rather concerned about possible regressions.

I'm currently trying to come up with some test cases so that I could
understand the risks better. Help would be welcome. I wasn't particularly
well acquaintanced with Safe before this.

Upstream is now at 2.27, which has further related changes and was also
bundled with Perl 5.12.1. However, it causes regressions in (at least)
libpetal-perl (#582805) and libtext-micromason-perl (#582892). These
two regressions don't happen with 2.25. 

PostgreSQL has in the past used for its PL/perl extension, but
recently moved away from it, apparently due to CVE-2010-1169. Quoting
HISTORY in postgresql-8.4 (8.4.4-1):

 Recent developments have convinced us that "" is too insecure
 to rely on for making plperl trustable.

FWIW, there seems to be a general agreement that is a "failed

Niko Tyni

To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

Reply via email to