Re: Potentially insecure Perl scripts

To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: perl@packages.debian.org, security@debian.org, debian-devel@lists.debian.org, Guillem Jover <guillem@debian.org>
Subject: Re: Potentially insecure Perl scripts
From: Mark Fowler <mark@twoshortplanks.com>
Date: Thu, 24 Jan 2019 14:49:29 -0500
Message-id: <[🔎] CAJ=1D2-yS_Bmib7ccmYeHmsRJiO4MxkNHU3CMA8Ok9Ke5Ay_Sw@mail.gmail.com>
In-reply-to: <[🔎] 23625.55120.700245.2863@chiark.greenend.org.uk>
References: <[🔎] 20190123130554.GA23813@cventin.lip.ens-lyon.fr> <[🔎] 20190124135558.GA6524@thunder.hadrons.org> <[🔎] 23625.54560.431642.679629@chiark.greenend.org.uk> <[🔎] 23625.55120.700245.2863@chiark.greenend.org.uk>

On Thu, Jan 24, 2019 at 10:18 AM Ian Jackson <ijackson@chiark.greenend.org.uk> wrote:

To the Debian Perl maintainers: if I make a patch to make
-p -n <>
use the 3-argument form of open (or equivalent), will you apply it ?

To the Debian security team: would you ship it in a security update ?

Wouldn't a less drastic approach be to change the vulnerable scripts to use <<>> instead of <>?

Mark.

Reply to:

Follow-Ups:
- Re: Potentially insecure Perl scripts
  - From: Colin Watson <cjwatson@debian.org>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- Potentially insecure Perl scripts
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Potentially insecure Perl scripts
  - From: Guillem Jover <guillem@debian.org>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Bug#920362: ITP: morsmall -- OCaml libraries for abstract syntax of shell scripts
Next by Date: Re: Potentially insecure Perl scripts
Previous by thread: Re: Potentially insecure Perl scripts
Next by thread: Re: Potentially insecure Perl scripts
Index(es):
- Date
- Thread