Bug#644108: unsafe use of eval in Digest->new()
Moritz Mühlenhoff
jmm at inutil.org
Mon Oct 3 14:01:50 UTC 2011
On Sun, Oct 02, 2011 at 11:44:39PM +0200, Ansgar Burchardt wrote:
> Package: perl
> Version: 5.10.0-19
> Severity: grave
> Tags: security upstream
>
> Hi,
>
> the last upstream release of libdigest-perl (1.17) contains a fix for an
> unsafe use of eval: the argument to Digest->new($algo) was not checked
> properly allowing code injection (in case the value can be changed by
> the attacker).
>
> This also affects perl as the module is included in perl-base.
perl-modules from Squeeze also contains 1.16, just like libdigest-perl.
What's the purpose of this package, then?
Wouldn't it rather make sense to drop standalone packages for all
modules present in perl-modules?
Cheers,
Moritz
More information about the Perl-maintainers
mailing list