Hello, Yes, it is true. But follow the code further. In the eval() is a read(), from a file handle to a .ttf file.
It reads the first 12 bytes of a ttf font file, and then evaluates it as a perl code block! I found the current mail address of the author, Cc: is going to him now. Bye, Akos -----Ursprüngliche Nachricht----- Von: Matt S Trout [mailto:m...@shadowcat.co.uk] Gesendet: Mittwoch, 11. April 2012 16:47 An: Horvath, Akos Cc: 'modu...@cpan.org' Betreff: Re: warning: sechole, possibly trojan in Font::TTFMetrics On Tue, Apr 10, 2012 at 04:52:16PM +0200, Horvath, Akos wrote: > Hallo, > > I didn't found any place where I can say you, there is a problem. > > First I tried to contact the module author > (curiou...@ccmb.res.in<mailto:curiou...@ccmb.res.in>) but the mail address > doesn't exist any more. > > The font init code (line 271) starts with this: > > my $self = shift; > my $fh = $self->get_file_handle(); > my $buf = ""; > > eval { read( $fh, $buf, 12 ) }; > > This seems... a little bit problematic. How so? That's a block eval, not a string eval - it's effectively a try {} with no catch block - see http://p3rl.org/Try::Tiny for a nicer implementation of that. An untrapped exception is potentially a bug - and I'd recommend seeing if it is, and if so fixing it - but I don't see it as a security hole. -- Matt S Trout - Shadowcat Systems - Perl consulting with a commit bit and a clue http://shadowcat.co.uk/blog/matt-s-trout/ http://twitter.com/shadowcat_mst/ Email me now on mst (at) shadowcat.co.uk and let's chat about how our Catalyst commercial support, training and consultancy packages could help your team.
