Re: THREE new perl releases

G'day Tux,

++ Thanks for this notification and the CVE information.

Is there any official (or at least detailed) write-ups of these vulnerabilities? I typically just look in "Perl: Security Vulnerabilities, CVEs" but they weren't listed there. I also looked in quite a few other places; many just had "unknown", "not found", or a very minimal description; here's an incomplete list:

The perldelta pages for the three newly released versions:
Perl: Products and vulnerabilities
https://www.cve.org/
NIST - National Vulnerability Database:
- https://nvd.nist.gov/vuln/detail/CVE-2023-47038
- https://nvd.nist.gov/vuln/detail/CVE-2023-47039
cPanel: Perl CVE-2023-47038 and CVE-2023-47039
- Some basic information; mostly how it relates to cPanel
securityonline.info:CVE-2023-47038 & CVE-2023-47039: Two flaws found in Perl programming language
- The most detailed of what I found; but still only high level descriptions.
- As an example, CVE-2023-47038 had this sort of level of information: "This vulnerability emerges when a specially crafted regular expression is compiled, leading to a buffer overflow in a heap-allocated buffer"

By way of comparison, these CVEs have, or link to, detailed discussions, workarounds, and such like: "CVE-2023-31484 (CPAN)" and "CVE-2023-31486 (HTTP::Tiny)".

Test::CVE

Somewhat tangentially, as part of my searching I came across the extremely new — its timestamp had "AN HOUR AGO" — Test::CVE authored by your good self.

This looks like something I may add to the list of Standardised Author Tests that I've written for $work.

I do note from the INCENTIVE section:

"The functionality explicitly limits to passive analysis: the is no active scanning of source code to find security vulnerabilities."

Would I be correct in assuming that this would pick up issues with CPAN and HTTP::Tiny, but not a problematic \p{...}?

An affirmative answer would not preclude its use as one of my Standardised Author Tests; I would just want to document this limitation. As an example, another of these types of tests uses Test::MinimumVersion and its limitations are noted.

— Ken

Comment on Re: THREE new perl releases Select or Download Code

Replies are listed 'Best First'.
Re^2: Test::CVE Was: THREE new perl releases by Tux (Canon) on Nov 27, 2023 at 23:16 UTC
Hah, changing the subject :) Test::CVE uses a database with known CPAN vulnerabilities and the versions in where these were fixed. By scanning <cpanfile</c>, `Makefile.PL` and possible other sources, the module looks for required and use modules/releases and possible declared versions. It will report if the declared version is open to CVE's. The advice from the security group would be to either require the version that fixed the CVE(s) or to make that version a recommendation and document that when using the older version, you are on your own. As you stated, `\p{...}` would not be picked up by this module. Enjoy, Have FUN! H.Merijn	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^2: Test::CVE Was: THREE new perl releases
by Tux (Canon) on Nov 27, 2023 at 23:16 UTC

Hah, changing the subject :)

Test::CVE uses a database with known CPAN vulnerabilities and the versions in where these were fixed. By scanning <cpanfile</c>, Makefile.PL and possible other sources, the module looks for required and use modules/releases and possible declared versions. It will report if the declared version is open to CVE's. The advice from the security group would be to either require the version that fixed the CVE(s) or to make that version a recommendation and document that when using the older version, you are on your own.

As you stated, \p{...} would *not* be picked up by this module.

Enjoy, Have FUN! H.Merijn

[reply]
[d/l]
[select]