Re: Bug#657853: Building perl with hardened build flags

[Dominic Hargreaves <dom@earth.li>]

On Sun, Feb 12, 2012 at 09:27:24PM +0100, Moritz Mühlenhoff wrote:
> If the missing format string is variable and controlled externally (e.g. 
> if read from a file or from network communication), please file it 
> with RC severity and the security tag. (If it's a popular Perl module, 
> please contact  team@security.debian.org, so that we can coordinate with 
> other distros.)
> 
> Otherwise it's rather "normal" severity.

I didn't feel qualified to make judgements about the exploitablity,
but I thought it would be worth an initial filing in any case (I made
this clear in the text of my reports). You can see them at

<http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=hardening;users=debian-qa@lists.debian.org>

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)