Bug#582806: perl: CVE-2010-1974: multiple unspecified vulnerabilities in Safe
Moritz Muehlenhoff
jmm at inutil.org
Sun May 30 12:46:08 UTC 2010
Niko Tyni wrote:
> Package: perl
> Version: 5.10.1-12
> Severity: important
> Tags: security
> X-Debbugs-Cc: team at security.debian.org
>
> Quoting http://security-tracker.debian.org/tracker/CVE-2010-1974 :
>
> Multiple unspecified vulnerabilities in the Safe (aka Safe.pm) module
> before 2.25 for Perl allow context-dependent attackers to inject and
> execute arbitrary code via vectors related to "automagic methods." NOTE:
> this might overlap CVE-2010-1169 or CVE-2010-1447.
>
> The best description I'm aware of is at
>
> http://blogs.perl.org/users/rafael_garcia-suarez/2010/03/new-safepm-fixes-security-hole.html
>
> I expect lenny is affected just as much as sid/squeeze. Not sure if we
> need a DSA. Setting the severity to 'important' for now.
>
> Please note that there's potential for regression: Safe-2.27 breaks at
> least libpetal-perl, see #582805.
>
> Security team, I'd love some help with this.
Would anyone use Safe to run potentially harmful code in a sandbox-like
environment? If it's more or less a debugging/testing feature, we don't
need to update it through a DSA, especially if it causes regressions.
Cheers,
Moritz
More information about the Perl-maintainers
mailing list