On bugtraq, there was an announcement concerning Safe.pm 2.0.7 and earlier with Perl 5.8.0 and earlier. From the email: 
1. Problem Description

    Safe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and
    earlier, may allow attackers to break out of safe compartments
    in (1) Safe::reval or (2) Safe::rdo using a redefined @_
    variable, which is not reset between successive calls. 
    
    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CAN-2002-1323 to this issue.

[download]

Refer to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1323 for more info.

------
We are the carpenters and bricklayers of the Information Age.

Then there are Damian modules.... *sigh* ... that's not about being less-lazy -- that's about being on some really good drugs -- you know, there is no spoon. - flyingmoose

Replies are listed 'Best First'.
Re: Some versions of Safe considered unSafe
by ysth (Canon) on Apr 04, 2004 at 13:43 UTC
    Wow, they move a little slowly, that seems to have been in "candidate for the CVE list" status for a year now.

    Note that perl5.6.2 includes the fixed Safe 2.10. (Not sure where they got the 2.0.7 notation from, Safe was at version 2.07 in 5.8.0 and 2.10 in 5.8.1.)

[reply]

Back to Meditations