[exim-dev] [Bug 1864] CVE-2016-1238: Important unsafe module…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: admin
Datum:  
To: exim-dev
Betreff: [exim-dev] [Bug 1864] CVE-2016-1238: Important unsafe module load path flaw
https://bugs.exim.org/show_bug.cgi?id=1864

Todd Rinaldo <toddr@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |toddr@???


--- Comment #2 from Todd Rinaldo <toddr@???> ---
Jeremy,

It is explicitly perl's stance that this is the script writer's problem until
perl removes . from @INC.

Stealing from redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1355695

https://bugzilla.redhat.com/show_bug.cgi?id=1355695

Upstream bug report, which remains private for now:

https://rt.perl.org/Public/Bug/Display.html?id=127834

However, the issue is already public via other places including:

http://www.gossamer-threads.com/lists/perl/porters/329911
https://www.debian.org/security/2016/dsa-3628

Relevant statement of responsibility:

"While the Perl Security group has attempted to mitigate some of these
problems by modifying Perl Modules, it is ultimately the responsibility
of the application writer to remove relative paths from @INC to assure
the security / consistent behavior of their code regardless of what
directory it executes from.

The fix is to check if the last entry of @INC is "." and if so, to
remove it as an included path.

The following line, when added to the top of Perl applications, should
mitigate this problem. This assumes your code is not intentionally
depending on paths relative to your current working directory:

BEGIN { pop @INC if $INC[-1] eq '.' }

We would also like to discourage using relative paths in @INC. "

--
You are receiving this mail because:
You are on the CC list for the bug.