Bug#582806: perl: CVE-2010-1974: multiple unspecified vulnerabilities in Safe

Moritz Muehlenhoff jmm at inutil.org
Sun May 30 12:46:08 UTC 2010


Niko Tyni wrote:
> Package: perl
> Version: 5.10.1-12
> Severity: important
> Tags: security
> X-Debbugs-Cc: team at security.debian.org
> 
> Quoting http://security-tracker.debian.org/tracker/CVE-2010-1974 :
> 
>   Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module
>   before 2.25 for Perl allow context-dependent attackers to inject and
>   execute arbitrary code via vectors related to "automagic methods." NOTE:
>   this might overlap CVE-2010-1169 or CVE-2010-1447.
> 
> The best description I'm aware of is at
> 
>  http://blogs.perl.org/users/rafael_garcia-suarez/2010/03/new-safepm-fixes-security-hole.html
> 
> I expect lenny is affected just as much as sid/squeeze. Not sure if we
> need a DSA. Setting the severity to 'important' for now.
> 
> Please note that there's potential for regression: Safe-2.27 breaks at
> least libpetal-perl, see #582805.
> 
> Security team, I'd love some help with this.

Would anyone use Safe to run potentially harmful code in a sandbox-like
environment? If it's more or less a debugging/testing feature, we don't
need to update it through a DSA, especially if it causes regressions.

Cheers,
        Moritz






More information about the Perl-maintainers mailing list