Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 325563 (CVE-2010-1168) - <perl-core/Safe-2.27, <virtual/perl-Safe-2.27: bypass intended access restrictions, inject and execute arbitrary code (CVE-2010-1168)
Summary: <perl-core/Safe-2.27, <virtual/perl-Safe-2.27: bypass intended access restric...
Status: RESOLVED FIXED
Alias: CVE-2010-1168
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-25 19:42 UTC by Stefan Behte (RETIRED)
Modified: 2011-11-20 18:17 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 19:42:35 UTC
CVE-2010-1168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1168):
  The Safe (aka Safe.pm) module before 2.25 for Perl allows
  context-dependent attackers to bypass intended (1) Safe::reval and
  (2) Safe::rdo access restrictions, and inject and execute arbitrary
  code, via vectors involving implicitly called methods and implicitly
  blessed objects, as demonstrated by the (a) DESTROY and (b) AUTOLOAD
  methods, related to "automagic methods."
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 19:45:13 UTC
We've got 2.27 in tree, can it go stable?
Comment 2 David Abbott gentoo-dev 2010-06-25 20:12:08 UTC
I don't see why not, in tree since 2010/05/02, no open bugs except this one, installs and passes tests here.
Please stabilize perl-core/Safe-2.27 and virtual/perl-Safe-2.27
Comment 3 Christoph Mende (RETIRED) gentoo-dev 2010-06-25 20:26:05 UTC
amd64 stable
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-25 21:37:38 UTC
CVE-2010-1168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1168):
  The Safe (aka Safe.pm) module before 2.25 for Perl allows
  context-dependent attackers to bypass intended (1) Safe::reval and
  (2) Safe::rdo access restrictions, and inject and execute arbitrary
  code, via vectors involving implicitly called methods and implicitly
  blessed objects, as demonstrated by the (a) DESTROY and (b) AUTOLOAD
  methods, related to "automagic methods."

Comment 5 Myckel Habets 2010-06-26 11:59:38 UTC
Builds fine on x86. Tests don't give any problems. Couldn't find any rdeps, so none tested.

Please mark stable for x86.
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2010-06-26 14:51:29 UTC
alpha/ia64/sparc/x86 stable, thanks Myckel
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-06-28 05:48:24 UTC
Stable for HPPA.
Comment 8 Torsten Veller (RETIRED) gentoo-dev 2010-07-12 13:34:21 UTC
Like all perl-core/ packages, Safe.pm is also part of dev-lang/perl. So dev-lang/perl should be fixed too before this bug can be resolved.

perl       Safe.pm
v5.8.8     2.12
v5.10.1    2.18
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2010-07-19 01:18:17 UTC
Marked ppc stable. Marked ~ppc64 since there are no ppc64 keywords.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2010-11-19 07:36:24 UTC
GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-11-20 18:17:02 UTC
This issue was resolved and addressed in
 GLSA 201111-09 at http://security.gentoo.org/glsa/glsa-201111-09.xml
by GLSA coordinator Alex Legler (a3li).