Hey everybody - Back in May of 2010, we added a cool feature to PDL that lets you turn strings into piddles. This was meant to provide a helpful new syntax for entering data by hand, for copy-pasting output from printing a piddle, and to ease the conversion of those coming from Matlab or Octave. You could do cool stuff like
my $a = pdl q[1 2 3; 4 5 6]; which would create a 3 x 2 piddle. Well, on Friday I discovered a security vulnerability introduced in the implementation of that functionality. It was a pretty obscure vulnerability, but if you ever send *user* *input* directly to any of these constructors: * new * pdl * topdl * byte * short * ushort * long * longlong * float * double you run the risk of executing more-or-less arbitrary Perl code if you are running PDL v 2.4.6_006 or later. Note that this is *only* a vulnerability if you send user data to those constructors (a situation which I expect to be highly unlikely). Before v 2.4.6_006, the constructors would croak if fed a string, so you did not need to validate user input aside from wrapping the function calls into an eval block. This is a very obscure vulnerability and we had a number of milestones in place for the next release of PDL. As such, I'm not sure that we will be releasing anything to CPAN as an immediate response to this. Stay posted, and feel free to ask questions on this list if you need any help reacting to this. I hope this is not a problem for anybody, but if it is and you need help responding to it, please reply to this email on-list Regards, David -- Sent via my carrier pigeon. _______________________________________________ Perldl mailing list [email protected] http://mailman.jach.hawaii.edu/mailman/listinfo/perldl
