oss-security - CVE Request: Storable::thaw called on cookie data in multiple CPAN modules

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Sun, 12 May 2013 21:38:58 -0500
From: John Lightsey <john@...nuts.net>
To: oss-security@...ts.openwall.com
Subject: CVE Request: Storable::thaw called on cookie data in multiple CPAN
 modules

Hi everyone,

Several CPAN modules follow the same pattern of calling Storable::thaw()
on session data stored client side with no signature verification
mechanisms in place to prevent tampering. Perl's Storable module was
recently documented as being unsafe for use with untrusted inputs:

http://perl5.git.perl.org/perl.git/commit/664f237a84176c09b20b62dbfe64dd736a7ce05e

The vulnerable modules are:

Both App::Session::Cookie and App::Session::HTMLHidden in the
App::Context bundle.
https://rt.cpan.org/Ticket/Display.html?id=85215

HTML::EP::Session::Cookie in the HTML::EP bundle.
https://rt.cpan.org/Ticket/Display.html?id=85216

Spoon::Cookie in the Spoon bundle.
https://rt.cpan.org/Ticket/Display.html?id=85217

Download attachment "signature.asc" of type "application/pgp-signature" (901 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.