Bug#588017: perl: current directory in @INC potentially harmful
Eugene V. Lyubimkin
jackyf at debian.org
Sun Jul 4 18:01:19 UTC 2010
package perl
severity 588017 grave
thanks
Dominic Hargreaves wrote:
> Whoa, this is quite hasty.
Maybe.
> The reason that this is a security bug is
> because the current directory should not be trusted, because it might
> be writable by a *different* non-root user who might wish to trick you
> into running malicious code. For exactly the same reason, shells don't have
> the current directory in their path.
Now I see the point. Though practially I guess that includes only /tmp and a
superuser executing something from the /home/xyz/...
< I'm not going to start play severity games, but thie looks very much
> like a security bug to me.
Granted, my arguments are quite weak, so I restored the original severity.
--
Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com
C++/Perl developer, Debian Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/perl-maintainers/attachments/20100704/56d4a4fd/attachment.pgp>
More information about the Perl-maintainers
mailing list