Bug#776270: perl: CVE-2012-3878 module loading security weakness
Dominic Hargreaves
dom at earth.li
Sat Apr 11 15:08:57 UTC 2015
Control: tags -1 -security
Control: found -1 5.20.2-3
On Mon, Jan 26, 2015 at 12:20:40PM +0200, Niko Tyni wrote:
> On Mon, Jan 26, 2015 at 09:25:33AM +0200, Niko Tyni wrote:
> > On Sun, Jan 25, 2015 at 11:00:27PM -0500, Michael Gilbert wrote:
> > > package: src:perl
> > > severity: normal
> > > tags: security
> > >
> > > Hi,
> > >
> > > There was a CVE assigned to this issue a while ago with strangely
> > > enough no real details. The only non-boilerplate information about it
> > > is at osvdb, but they don't provide any details that could be used to
> > > fix the issue:
> > > http://osvdb.org/show/osvdb/106565
> >
> > By that description this seems to be a dup of #588017
> > ("current directory in @INC potentially harmful")?
>
> Apparently not, but rather the fact that
> perl -e 'require ::foo'
> will try to load /foo.pm .
>
> Florian Weimer has just asked for CVE-2012-3878 to be rejected
> as upstream decided it's not a vulnerability.
>
> http://www.openwall.com/lists/oss-security/2015/01/26/3
> http://www.nntp.perl.org/group/perl.perl5.porters/2012/07/msg189909.html
Indeed; unsetting the security tag accordingly. I note that this issue,
if it is an issue, is still unresolved (the smoke-me/require branch
still exists unmerged).
I can't see any upstream bug about this; should there be or do people
think it's a complete non-bug?
Cheers,
Dominic.
More information about the Perl-maintainers
mailing list