It's not a Perl problem, it's a printf problem. Same would happen in C if used in teh same way by allowing users to provide the format string (or part of it) to a printf. It comes down to hysteria over a programming bug in a specific piece of software. It is not a Perl bug at all, just a fault in the way Perl was used.

The bug allows a user to provide the equivelent of:

printf "%999999d";

[download]

which can take a while and use a bunch of memory, even if it doesn't crash the system.

Update:

My initial reaction was to inflamatory retoric in the press surounding statements such as: "If remote code execution is successful, it would lead to a full remote root compromise in a standard configuration". While it is true that an attack is possible in principle that could result in such exploitation, in practice such an attack path is so tricky to exploit that the risk is very low.

The efix wrap problem is already being fixed (see advisories here for example). That reduces the chances of a code execution exploit, but doesn't fix the DoS attack which is dead easy to access - only improved Perl coding can fix that.

At the end of the day any sufficently powerfull system is capable of giving you a very red face. Anyone care to say that Perl isn't a "sufficiently powerfull system"?

DWIM is Perl's answer to Gödel

In reply to Re: The "Perl Security Problem"? by GrandFather
in thread The "Perl Security Problem"? by Cody Pendant

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.