Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 12 May 2013 21:38:58 -0500
From: John Lightsey <>
Subject: CVE Request: Storable::thaw called on cookie data in multiple CPAN

Hi everyone,

Several CPAN modules follow the same pattern of calling Storable::thaw()
on session data stored client side with no signature verification
mechanisms in place to prevent tampering. Perl's Storable module was
recently documented as being unsafe for use with untrusted inputs:

The vulnerable modules are:

Both App::Session::Cookie and App::Session::HTMLHidden in the
App::Context bundle.

HTML::EP::Session::Cookie in the HTML::EP bundle.

Spoon::Cookie in the Spoon bundle.

Download attachment "signature.asc" of type "application/pgp-signature" (901 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.