Skip Menu |
 

This queue is for tickets about the NgxQueue CPAN distribution.

Report information
The Basics
Id: 116200
Status: new
Priority: 0/
Queue: NgxQueue

People
Owner: Nobody in particular
Requestors: 'spro^^*%*^6ut# [...] &$%*c
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Security vulnerability
Download (untitled) / with headers
text/plain 615b
XSLoader 0.21 and earlier have a bug in them that allows paths outside of @INC to be checked for code to load if the calling code’s file (as returned by caller()) is something not in @INC. Since a string eval has ‘(eval 1)’ or similar for its ’file name’, this code in NgxQueue is vulnerable: eval qq{ require XSLoader; XSLoader::load __PACKAGE__, $VERSION; }; There is actually no need for the string eval. Removing the ‘qq’ after ‘eval’ will close the security hole. Alternatively, you might want to make this module depend on XSLoader version 0.22.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.