Skip Menu |

This queue is for tickets about the CPAN CPAN distribution.

Report information
The Basics
Id: 130688
Status: rejected
Priority: 0/
Queue: CPAN
People
Owner: Nobody in particular
Requestors: biejunh [...] cn.ibm.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Thu Oct 10 23:36:38 2019 biejunh [...] cn.ibm.com - Ticket created
Subject: security vulnerabilities discovered on Strawberry Perl 5.30.0.1 and some CPAN modules
Date: Fri, 11 Oct 2019 03:06:02 +0000
To: bug-CPAN [...] rt.cpan.org
From: "Jun Hua Bie" <biejunh [...] cn.ibm.com>
Hello CPAN bug team, We are using Strawberry Perl 5.30.0.1 and some CPAN modules on our application, according to company's security policy, we ran static code scanning for these open source code, but some security vulnerabilities are discovered during scanning. Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266) 32 Ungrouped File Open Mode Is User Modifiable (AccessControl.Bypass, CWE-288) 4 For the details, please refer to following reporting: Do you have any solution to fix these security issues ? It is very urgent for us to fix these issues for our project, could you take it as high priority ? Thanks in advance ! Note: CPAN module AnyEvent-7.16 is used, for other CPAN modules, they are included on Strawberry Perl code.

Message body is not shown because sender requested not to inline it.

  Fri Oct 11 07:40:04 2019 mcgrath.martin [...] gmail.com - Correspondence added
On Fri Oct 11 04:36:38 2019, biejunh@cn.ibm.com wrote: Show quoted text
> Hello CPAN bug team, > > We are using Strawberry Perl 5.30.0.1 and some CPAN modules on our > application, according to company's security policy, we ran static code > scanning for these open source code, but some security vulnerabilities are > discovered during scanning. > > Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266) 32 > Ungrouped File Open Mode Is User Modifiable (AccessControl.Bypass, > CWE-288) 4 > > For the details, please refer to following reporting: > > > > Do you have any solution to fix these security issues ? It is very > urgent for us to fix these issues for our project, could you take it as > high priority ? > Thanks in advance ! > > Note: CPAN module AnyEvent-7.16 is used, for other CPAN modules, they > are included on Strawberry Perl code. >
You've raised this issue under the cpan distribution queue. This is not the correct place. If you had issues with Strawberry perl this would be the page to look at http://strawberryperl.com/support.html However while they are included with Strawberry perl none of the modules your scan took issues with are core modules (https://perldoc.pl/Module::CoreList). If this is very urgent for you a reasonable approach would be to check if an updated version of the module exists addressing the issue, or write a patch for each module, resolving the issue and supplying this to the module author. For example, in the "Location" field within your report tells you which modules should be investigated. e.g. Location: src\perl\lib\Win32API\File.pl is https://metacpan.org/pod/Win32API::File Please note that I'm not affiliated with any of the projects listed here.
  Fri Oct 11 07:40:05 2019 The RT System itself - Status changed from 'new' to 'open'
  Fri Oct 11 17:47:34 2019 ether [...] cpan.org - Status changed from 'open' to 'rejected'