On Mon, Jan 26, 2015 at 09:25:33AM +0200, Niko Tyni wrote: > On Sun, Jan 25, 2015 at 11:00:27PM -0500, Michael Gilbert wrote: > > package: src:perl > > severity: normal > > tags: security > > > > Hi, > > > > There was a CVE assigned to this issue a while ago with strangely > > enough no real details. The only non-boilerplate information about it > > is at osvdb, but they don't provide any details that could be used to > > fix the issue: > > http://osvdb.org/show/osvdb/106565 > > By that description this seems to be a dup of #588017 > ("current directory in @INC potentially harmful")?
Apparently not, but rather the fact that perl -e 'require ::foo' will try to load /foo.pm . Florian Weimer has just asked for CVE-2012-3878 to be rejected as upstream decided it's not a vulnerability. http://www.openwall.com/lists/oss-security/2015/01/26/3 http://www.nntp.perl.org/group/perl.perl5.porters/2012/07/msg189909.html -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
