Function lc() is laundering tainted data in newer perls, contrary to docs #11219
Created by Mark.Martinec@ijs.si
The current perlsec 5.13 man page still claims that "Laundering data
This holds true for v5.10.1, v5.12.3 and v5.13.10;
using perl 5.8.8:
On 03/30/2011 09:31 AM, Mark Martinec (via RT) wrote:
Is this security-related issue important enough to be a 5.14 blocker?
On 31 March 2011 04:10, Karl Williamson <email@example.com> wrote:
On Thu, Mar 31, 2011 at 06:29:59AM -0700, Father Chrysostomos via RT wrote:
Are there any plans to push this update to maint-5.12 or maint-5.10
For context, I'm looking at fixing this in the Debian perl packages:
I've attached the patch extracted from
Hi Jan Lieskovsky,
Please could you also mail firstname.lastname@example.org when requesting
On Fri, Apr 15, 2011 at 07:12:24PM +0100, Dominic Hargreaves wrote:
Well, it's not quite clear what side of EOL maint-5.10 is. The current
as to maint-5.12, the current thoughts from Jesse was:
: On Fri, Apr 08, 2011 at 03:59:35AM -0700, Nicholas Clark via RT wrote:
(in http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2011-04/msg00344.html )
Now that we *belatedly* learn that this bug has CVE, and a published CVE
On Sat, Apr 16, 2011 at 12:55:46PM +0100, Nicholas Clark wrote:
It's a valid bug, but I don't even think that this bug *should* be a CVE.
We never advertise tainting as an input validation system. No program should
Report CVEs in those programs, if they exist.