This was reported on Bugtraq today. Regardless of whose fault it is, it's a bug in Perl that should be fixed. It looks like this bug is likely to be exploitable. Taking advantage of this wouldn't be straightforward, but may be possible if part of the string passed to system is under user control. This would seem to already be a security problem, but if the programmer carefully checked the contents of the user's input but not its length, this buffer overflow could make a previously secure script insecure.