+++ This bug was initially created as a clone of Bug #385487 +++ From secunia security advisory at $URL: Description: The vulnerability is caused due to the "Digest->new()" function not properly sanitising input before using it in an "eval()" call, which can be exploited to inject and execute arbitrary Perl code.
Michael, is this different than in bug #385487?
Yes Tim, This is applicable to Perl 5.x instead of the actual Digest module <1.17 I added the wrong $URL for all product versions instead of the Secunia Adv. which I just updated. For clarity, the original bug was as follows: http://secunia.com/advisories/46279/ The new advisory for Perl 5 is as follows: http://secunia.com/advisories/46299/ IMO still a bit confusing because the commit applies to the Digest version, but a3li said to go ahead and clone.
(In reply to comment #2) > IMO still a bit confusing because the commit applies to the Digest version, but > a3li said to go ahead and clone. Perl seems to bundle some CPAN packages, so new package -> new bug
CVE says: Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor. 5.17 was released starting with perl v5.15.4. Currently there are no affected perl distros in the tree at all. This bug is old. I prefer to close it as [nogla]