Bug 57316 - Safe.pm security hole in japanese/perl, as well as 4.x base system's perl
Summary: Safe.pm security hole in japanese/perl, as well as 4.x base system's perl
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: shige
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-09-28 15:50 UTC by IIJIMA Hiromitsu
Modified: 2003-10-01 15:18 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description IIJIMA Hiromitsu 2003-09-28 15:50:25 UTC 
	Safe.pm in ports/japanese/perl5 (perl 5.005_03 plus Japanese patch)
	has a security hole labelled as CAN-2002-1323.

	For more information, see the websites at:
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1323
	http://groups.google.com/groups?threadm=rt-17744-39131.3.96370682846239%40bugs6.perl.org

	[NOTE] ports/lang/perl5 (perl 5.6.1) and ports/lang/perl5.8 (perl 5.8.0)
	are not affected, since they have files/patch-Safe.pm in the ports.

	FreeBSD 4.x base system's perl is also affected, so I have sent
	another PR labelled as bin/57315.

Fix: 

Apply ports/lang/perl5/patch-Safe.pm to ports/japanese/perl5.
	It applies to perl 5.005_03 with no problem.

	ports/lang/perl5.8/patch-Safe.pm does not apply to perl 5.005_03,
	since it is an upgrade from Safe.pm 2.07 to 2.09 while perl 5.005_03
	has Safe.pm 2.06.
How-To-Repeat: 	I tried the exploit code at Google Groups archive, but is not successful.
Comment 1 Kirill Ponomarev freebsd_committer freebsd_triage 2003-09-28 15:51:25 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->shige

Over to maintainer
Comment 2 shige freebsd_committer freebsd_triage 2003-10-01 15:18:08 UTC 
State Changed
From-To: open->closed

Committed. Thanks!