Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the B-C CPAN distribution.

Report information
The Basics
Id:
116201
Status:
resolved
Priority:
Low/Low
Queue:

People
Owner:
Nobody in particular
Requestors:
'spro^^*%*^6ut# [...] &$%*c
Cc:
AdminCc:

BugTracker
Severity:
(no value)
Broken in:
(no value)
Fixed in:
(no value)



Subject: Security vulnerability with XSLoader in Stash/Stash.pm
Sorry I am not using the preferred bug tracker. I have limited web access and cannot get to code.google.com. XSLoader 0.21 and earlier have a bug in them that allows paths outside of @INC to be checked for code to load if the calling code’s file (as returned by caller()) is something not in @INC. Since a string eval has ‘(eval 1)’ or similar for its ’file name’, this code in Stash/Stash.pm is vulnerable: eval q[ CHECK { ] . ($debug ? q[print "scanxs main\n"; my $debug=1;] : "") . q[ require XSLoader; XSLoader::load('B::Stash'); # for xs only my @arr = scanxs( $main::{"main::"},'',$debug ); @arr = map { s/\:\:$//; $_ eq "<none>" ? () : $_; } @arr; print "-x", join( ",-x", @arr ), "\n"; } ]; XSLoader version 0.22 closes the security hole. I leave it to you whether to put a #line directive inside the string eval to set the file name or to depend on XSLoader 0.22.
On Sat Jul 16 03:38:38 2016, SPROUT wrote:
Show quoted text
> Sorry I am not using the preferred bug tracker. I have limited web > access and cannot get to code.google.com. > > XSLoader 0.21 and earlier have a bug in them that allows paths outside > of @INC to be checked for code to load if the calling code’s file (as > returned by caller()) is something not in @INC. > > Since a string eval has ‘(eval 1)’ or similar for its ’file name’, > this code in Stash/Stash.pm is vulnerable: > > eval q[ > CHECK { > ] . ($debug ? q[print "scanxs main\n"; my $debug=1;] : "") . q[ > require XSLoader; > XSLoader::load('B::Stash'); # for xs only > my @arr = scanxs( $main::{"main::"},'',$debug ); > @arr = map { s/\:\:$//; $_ eq "<none>" ? () : $_; } @arr; > print "-x", join( ",-x", @arr ), "\n"; > } ]; > > XSLoader version 0.22 closes the security hole. I leave it to you > whether to put a #line directive inside the string eval to set the > file name or to depend on XSLoader 0.22.
Thanks, I already saw the fix in core, and will fix it in B-C and cperl also, where I rewrote XSLoader in XS. I'll also fix the old RT tracker url to github/rurban/perl-compiler. code.google.com is down. -- Reini Urban
Fix included in the released 1.55, with a #line directive -- Reini Urban


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.