Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the B-C CPAN distribution.

Report information
The Basics
Id: 116201
Status: resolved
Priority: 0/
Queue: B-C
People
Owner: Nobody in particular
Requestors: 'spro^^*%*^6ut# [...] &$%*c
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Sat Jul 16 03:38:38 2016 $_ = 'spro^^*%*^6ut# [...] &$%*c>#!^!#&!pan.org'; y/a-z.@//cd; print - Ticket created
Subject: Security vulnerability with XSLoader in Stash/Stash.pm
Sorry I am not using the preferred bug tracker. I have limited web access and cannot get to code.google.com. XSLoader 0.21 and earlier have a bug in them that allows paths outside of @INC to be checked for code to load if the calling code’s file (as returned by caller()) is something not in @INC. Since a string eval has ‘(eval 1)’ or similar for its ’file name’, this code in Stash/Stash.pm is vulnerable: eval q[ CHECK { ] . ($debug ? q[print "scanxs main\n"; my $debug=1;] : "") . q[ require XSLoader; XSLoader::load('B::Stash'); # for xs only my @arr = scanxs( $main::{"main::"},'',$debug ); @arr = map { s/\:\:$//; $_ eq "<none>" ? () : $_; } @arr; print "-x", join( ",-x", @arr ), "\n"; } ]; XSLoader version 0.22 closes the security hole. I leave it to you whether to put a #line directive inside the string eval to set the file name or to depend on XSLoader 0.22.
  Sat Jul 16 03:41:39 2016 RURBAN [...] cpan.org - Correspondence added
On Sat Jul 16 03:38:38 2016, SPROUT wrote: Show quoted text
> Sorry I am not using the preferred bug tracker. I have limited web > access and cannot get to code.google.com. > > XSLoader 0.21 and earlier have a bug in them that allows paths outside > of @INC to be checked for code to load if the calling code’s file (as > returned by caller()) is something not in @INC. > > Since a string eval has ‘(eval 1)’ or similar for its ’file name’, > this code in Stash/Stash.pm is vulnerable: > > eval q[ > CHECK { > ] . ($debug ? q[print "scanxs main\n"; my $debug=1;] : "") . q[ > require XSLoader; > XSLoader::load('B::Stash'); # for xs only > my @arr = scanxs( $main::{"main::"},'',$debug ); > @arr = map { s/\:\:$//; $_ eq "<none>" ? () : $_; } @arr; > print "-x", join( ",-x", @arr ), "\n"; > } ]; > > XSLoader version 0.22 closes the security hole. I leave it to you > whether to put a #line directive inside the string eval to set the > file name or to depend on XSLoader 0.22.
Thanks, I already saw the fix in core, and will fix it in B-C and cperl also, where I rewrote XSLoader in XS. I'll also fix the old RT tracker url to github/rurban/perl-compiler. code.google.com is down. -- Reini Urban
  Sat Jul 16 03:41:39 2016 The RT System itself - Status changed from 'new' to 'open'
  Fri Feb 10 03:59:17 2017 RURBAN [...] cpan.org - Correspondence added
Fix included in the released 1.55, with a #line directive -- Reini Urban
  Fri Feb 10 03:59:22 2017 RURBAN [...] cpan.org - Status changed from 'open' to 'resolved'