Skip Menu |

This queue is for tickets about the Crypt-Random CPAN distribution.

Report information
The Basics
Id: 128062
Status: resolved
Priority: 0/
Queue: Crypt-Random
People
Owner: Nobody in particular
Requestors: me [...] eboxr.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Dec 19 17:00:58 2018 me [...] eboxr.com - Ticket created
Subject: bin/makerandom should not load modules from unsafe dir
This is very similar to the issue reported to Crypt::Primes via https://rt.cpan.org/Ticket/Display.html?id=128058 bin/makerandom is going to be install, and should simply trust Perl default @INC locations Note: once installed the Perl shebang is going to be adjusted to use the Perl used during the installation so the module will be reachable by default. We should not preserve the actual customized shebang, or any other module could be loaded depending from where/who run the script bin/makerandom This is a security fix. view https://github.com/atoomic/Crypt-Random/pull/1 Suggested patch: diff --git a/bin/makerandom b/bin/makerandom index 29b21c6..cfe5485 100755 --- a/bin/makerandom +++ b/bin/makerandom @@ -1,4 +1,4 @@ -#!/usr/bin/perl -sI../lib -Ilib/ +#!/usr/bin/perl ## ## makerandom - interface to crypt::random ##
  Sat Dec 22 09:58:38 2018 VIPUL [...] cpan.org - Correspondence added
I'll remove the directories. BTW your patch is not complete as we still need -s to accept command line options. On Wed Dec 19 17:00:58 2018, atoomic wrote: Show quoted text
> This is very similar to the issue reported to Crypt::Primes via > https://rt.cpan.org/Ticket/Display.html?id=128058 > > bin/makerandom is going to be install, and should simply trust Perl > default @INC locations > Note: once installed the Perl shebang is going to be adjusted to use > the Perl used during the installation > so the module will be reachable by default. > > We should not preserve the actual customized shebang, or any other > module could be loaded > depending from where/who run the script bin/makerandom > > This is a security fix. > > view https://github.com/atoomic/Crypt-Random/pull/1 > > Suggested patch: > > diff --git a/bin/makerandom b/bin/makerandom > index 29b21c6..cfe5485 100755 > --- a/bin/makerandom > +++ b/bin/makerandom > @@ -1,4 +1,4 @@ > -#!/usr/bin/perl -sI../lib -Ilib/ > +#!/usr/bin/perl > ## > ## makerandom - interface to crypt::random > ##
  Sat Dec 22 09:58:38 2018 The RT System itself - Status changed from 'new' to 'open'
  Sat Dec 22 11:22:51 2018 VIPUL [...] cpan.org - Correspondence added
Fixed in 1.51
  Sat Dec 22 11:22:52 2018 VIPUL [...] cpan.org - Status changed from 'open' to 'resolved'