Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 4 Apr 2011 13:48:55 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- perl -- lc(), uc() routines are
 laundering tainted data

Please use CVE-2011-1487

Thanks.

-- 
    JB


----- Original Message -----
> Hello Josh, Steve, vendors,
> 
> A security flaw was found in the way Perl performed
> laundering of tainted data. A remote attacker could
> use this flaw to bypass Perl TAINT mode protection
> mechanism (leading to commands execution on dirty
> arguments or file system access via contaminated
> variables) via specially-crafted input provided
> to the web application / CGI script.
> 
> Upstream bug report:
> http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336
> 
> Relevant patch:
> http://perl5.git.perl.org/perl.git/commitdiff/539689e74a3bcb04d29e4cd9396de91a81045b99
> (contains also information when the issue was introduced)
> 
> References:
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=692844
> 
> Could you allocate a CVE id for this?
> 
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ