Niko Tyni wrote:
> Package: perl
> Version: 5.10.1-12
> Severity: important
> Tags: security
> X-Debbugs-Cc: [email protected]
>
> Quoting http://security-tracker.debian.org/tracker/CVE-2010-1974 :
>
> Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module
> before 2.25 for Perl allow context-dependent attackers to inject and
> execute arbitrary code via vectors related to "automagic methods." NOTE:
> this might overlap CVE-2010-1169 or CVE-2010-1447.
>
> The best description I'm aware of is at
>
>
> http://blogs.perl.org/users/rafael_garcia-suarez/2010/03/new-safepm-fixes-security-hole.html
>
> I expect lenny is affected just as much as sid/squeeze. Not sure if we
> need a DSA. Setting the severity to 'important' for now.
>
> Please note that there's potential for regression: Safe-2.27 breaks at
> least libpetal-perl, see #582805.
>
> Security team, I'd love some help with this.
Would anyone use Safe to run potentially harmful code in a sandbox-like
environment? If it's more or less a debugging/testing feature, we don't
need to update it through a DSA, especially if it causes regressions.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
