No. If Perl would not have the problem, then the problem in webmin would be as "innocent" as you describe above.

However, the fault in the code of webmin (allowing untrusted users to supply the first argument to (s)printf) is much more serious due to the possibility of exploiting a buffer overrun/integer truncation error in Perl.

There is a bug in Perl, and it is good that it is addressed. It's very unprofessional, and IMO, bad for the name of Perl, to not look at this seriously and instantly dismiss it as "not a Perl problem".

Luckely, people on p5p aren't the zealots like you find here, and there they did look further. The result, no false claims being made, and a serious bug getting fixed.

Perl --((8:>*

In reply to Re^2: The "Perl Security Problem"? by Perl Mouse
in thread The "Perl Security Problem"? by Cody Pendant

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.