Bug#695223: perl: Storable docs don't advise against using untrusted data

Dominic Hargreaves dom at earth.li
Wed Dec 5 17:49:00 UTC 2012


Package: perl
Severity: important
Tags: security

----- Forwarded message from Ricardo Signes <perl.p5p at rjbs.manxome.org> -----

Date: Wed, 5 Dec 2012 10:48:11 -0500
From: Ricardo Signes <perl.p5p at rjbs.manxome.org>
To: perl5-porters at perl.org
Subject: security notice: Storable
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,SPF_PASS,T_DKIM_INVALID autolearn=ham version=3.3.1
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.2


A number of times over the years, there's been discussion about Storable as a
vector for attack.  If a user can feed you Storable data that you didn't
expect, he has a good chance of doing nasty things to your program.  This has
been discussed on p5p and at YAPCs, but sadly never made it into the
documentation.

This has been fixed with
http://perl5.git.perl.org/perl.git/commit/664f237a84176c09b20b62dbfe64dd736a7ce05e

A release to CPAN containing this warning will also be made soon.

Thanks to Brian Carlson of cPanel who brought this to our attention.

-- 
rjbs



----- End forwarded message -----

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




More information about the Perl-maintainers mailing list