Bug#631529: Missing fix for CVE-2010-1447
Moritz Muehlenhoff
muehlenhoff at univention.de
Fri Jun 24 16:56:40 UTC 2011
Package: perl
Severity: grave
Tags: security
Hi Perl maintainers,
it turns out that CVE-2010-1447 is still missing in Lenny and
Squeeze. It was originally attributed to Postgres, but it
was later found out that Perl is affected as well.
The attached patch is still needed in both Lenny and Squeeze.
Cheers,
Moritz
-------------- next part --------------
Fix for CVE-2010-1447
--- perl-5.10.0/ext/Opcode/Safe.pm
+++ perl-5.10.0/ext/Opcode/Safe.pm
@@ -338,6 +338,7 @@ sub reval {
? Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub)
: scalar Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
_clean_stash($root.'::') if $sg != sub_generation();
+ $obj->wrap_code_refs_within(@subret);
return (wantarray) ? @subret : $subret[0];
}
@@ -416,6 +417,7 @@ sub rdo {
? Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub)
: scalar Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
_clean_stash($root.'::') if $sg != sub_generation();
+ $obj->wrap_code_refs_within(@subret);
return (wantarray) ? @subret : $subret[0];
}
@@ -629,9 +631,9 @@ expression evaluated, or a return statement may be used, just as with
subroutines and B<eval()>. The context (list or scalar) is determined
by the caller as usual.
-This behaviour differs from the beta distribution of the Safe extension
-where earlier versions of perl made it hard to mimic the return
-behaviour of the eval() command and the context was always scalar.
+If the return value of reval() is (or contains) any code reference,
+those code references are wrapped to be themselves executed always
+in the compartment. See L</wrap_code_refs_within>.
The formerly undocumented STRICT argument sets strictness: if true
'use strict;' is used, otherwise it uses 'no strict;'. B<Note>: if
More information about the Perl-maintainers
mailing list