Date: Sun, 12 May 2013 21:38:58 -0500 From: John Lightsey <john@...nuts.net> To: oss-security@...ts.openwall.com Subject: CVE Request: Storable::thaw called on cookie data in multiple CPAN modules Hi everyone, Several CPAN modules follow the same pattern of calling Storable::thaw() on session data stored client side with no signature verification mechanisms in place to prevent tampering. Perl's Storable module was recently documented as being unsafe for use with untrusted inputs: http://perl5.git.perl.org/perl.git/commit/664f237a84176c09b20b62dbfe64dd736a7ce05e The vulnerable modules are: Both App::Session::Cookie and App::Session::HTMLHidden in the App::Context bundle. https://rt.cpan.org/Ticket/Display.html?id=85215 HTML::EP::Session::Cookie in the HTML::EP bundle. https://rt.cpan.org/Ticket/Display.html?id=85216 Spoon::Cookie in the Spoon bundle. https://rt.cpan.org/Ticket/Display.html?id=85217 Download attachment "signature.asc" of type "application/pgp-signature" (901 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.