Bug#622817: perl: CVE-2011-1487: taint laundering in lc, uc

Florian Weimer fw at deneb.enyo.de
Thu Jun 16 20:11:09 UTC 2011


* Dominic Hargreaves:

>> > Okay, then we should release a DSA for it, so that the breakage is
>> > more easily blamed on this particular change, and that it's less
>> > confusing if we have to issue follow-up DSAs.  Perhaps late May or
>> > early June would be a convenient release date?
>> 
>> Wasn't the earlier consensus that this only affects Perl scripts, which
>> are already insecure?
>
> I don't think we've seen any discussion of this; could you elaborate?

There was some discussion prior to filing the bug report, sorry.

Anyway, we should probably push the fix to lenny and squeeze at this
point.  (See above for part of my rationale for that.)

I can grab
0002-CVE-2011-1487-lc-uc-first-fail-to-taint-the-returned.patch and
apply it to squeeze & lenny if you want me to.  Are there any other
pending changes I should pick up?






More information about the Perl-maintainers mailing list