-
Notifications
You must be signed in to change notification settings - Fork 574
Function lc() is laundering tainted data in newer perls, contrary to docs #11219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
From Mark.Martinec@ijs.siCreated by Mark.Martinec@ijs.siThe current perlsec 5.13 man page still claims that "Laundering data This holds true for v5.10.1, v5.12.3 and v5.13.10; Example: using perl 5.8.8: Perl Info
|
From @khwilliamsonOn 03/30/2011 09:31 AM, Mark Martinec (via RT) wrote:
Is this security-related issue important enough to be a 5.14 blocker? |
The RT System itself - Status changed from 'new' to 'open' |
From @demerphqOn 31 March 2011 04:10, Karl Williamson <public@khwilliamson.com> wrote:
IMO yes. Yves -- |
From @obraAt least for now, I've made it a 5.14 blocker, so a fix for it is 100% |
From @cpansproutOn Thu Mar 31 05:54:26 2011, jesse wrote:
I’ve just fixed it with commit 539689e. |
From [Unknown Contact. See original ticket]On Thu Mar 31 05:54:26 2011, jesse wrote:
I’ve just fixed it with commit 539689e. |
@cpansprout - Status changed from 'open' to 'resolved' |
From @jmdhOn Thu, Mar 31, 2011 at 06:29:59AM -0700, Father Chrysostomos via RT wrote:
Are there any plans to push this update to maint-5.12 or maint-5.10 For context, I'm looking at fixing this in the Debian perl packages: I've attached the patch extracted from Thanks, -- |
From @nwc10Hi Jan Lieskovsky, Please could you also mail perl5-security-report@perl.org when requesting On Fri, Apr 15, 2011 at 07:12:24PM +0100, Dominic Hargreaves wrote:
Well, it's not quite clear what side of EOL maint-5.10 is. The current http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2011-04/msg00352.html as to maint-5.12, the current thoughts from Jesse was: : On Fri, Apr 08, 2011 at 03:59:35AM -0700, Nicholas Clark via RT wrote: (in http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2011-04/msg00344.html ) Now that we *belatedly* learn that this bug has CVE, and a published CVE Nicholas Clark |
From @nwc10On Sat, Apr 16, 2011 at 12:55:46PM +0100, Nicholas Clark wrote:
It's a valid bug, but I don't even think that this bug *should* be a CVE. We never advertise tainting as an input validation system. No program should Report CVEs in those programs, if they exist. Nicholas Clark |
From @gisleOn Sat Apr 16 05:21:59 2011, nicholas wrote:
Agree, but for the record: it's CVE-2011-1487. |
Migrated from rt.perl.org#87336 (status was 'resolved')
Searchable as RT87336$
The text was updated successfully, but these errors were encountered: