I always figured that if there were a blatant security
violation by a CPAN author, that I would be safe because
someone would notice the problem before I got burned
by it.
That has indeed happened,
and now you are being
notified, also.
The nature of this security violation is that the module
author executes arbitrary code on your computer. Anyone
who can spoof the module owner's web server can also
execute arbitrary code during the module installation.
The problem is in the Makefile.PL, which gets arbitrary
code from the web server at perl.4pro.net and
executes the code.
My strategy for installing perl modules is to never
do so as root, and to never modify /usr/bin/perl.
I think that this strategy has now been vindicated!
Here are modules with the problem:
- CGI::Builder
- Template::Magic
- Class::constr
- Class::groups
- Class::props
- Object::groups
- Object::props
- Apache::Application::Plus
- HTML::TableTiler
To check if you have any of these modules, you can
search your perl tree for the author name
'Domizio Demichelis'.
Here is the current list on CPAN:
- Apache-CGI-Builder-1.2
- CGI-Application-Plus-1.14
- CGI-Builder-1.2
- CGI-Builder-CgiAppAPI-1.2
- CGI-Builder-DFVCheck-1.2
- CGI-Builder-HTMLtmpl-1.0
- CGI-Builder-Magic-1.22
- CGI-Builder-Session-1.2
- HTML-TableTiler-1.15
- IO-Util-1.21
- MagicTemplate-3.53
- OOTools-1.71
- Template-Magic-1.2
Update:A security fix has been proposed
by the module author and should be available in a few
days.
It should work perfectly the first time! - toma
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.