lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 May 2004 10:00:15 +0100 From: David Cantrell <david@...trell.org.uk> To: bugtraq@...urityfocus.com Cc: support@...ivestate.com Subject: Re: Buffer Overflow in ActivePerl ? [CCed to activestate in case they were unaware of the discussion on bugtraq - activestate people, see the archives] On Tue, May 18, 2004 at 03:23:16PM -0700, Drew Copley wrote: > The beauty of holes in perl itself is the possibility that > it could affect a widerange of perl scripts out there sleeping on > people's webservers, though. This isn't really a hole in perl itself, but in the particular build of perl compiled and shipped by one particular vendor. I can not replicate this on OpenBSD, Debian Linux, or Solaris. Nor can I replicate it using the version of perl supplied with Cygwin. I'd be interested to hear if a similar bug exists in Activestate's build of perl for Linux and Solaris, which I didn't try. In any case, if an attacker can inject his choice of data into a system() function, then all bets are off so this is not something that the users should worry too much about. -- David Cantrell | Benevolent Dictator | http://www.cantrell.org.uk/david <davorg> clowns are scary <gbjk> I concur. It's their motivation that worries me. -- in #london.pm
Powered by blists - more mailing lists