Bugtraq mailing list archives

Re: Buffer Overflow in ActivePerl ?

From: David Cantrell <david () cantrell org uk>
Date: Wed, 19 May 2004 10:00:15 +0100

[CCed to activestate in case they were unaware of the discussion on
bugtraq - activestate people, see the archives]

On Tue, May 18, 2004 at 03:23:16PM -0700, Drew Copley wrote:

The beauty of holes in perl itself is the possibility that
it could affect a widerange of perl scripts out there sleeping on
people's webservers, though.


This isn't really a hole in perl itself, but in the particular build of
perl compiled and shipped by one particular vendor.  I can not replicate
this on OpenBSD, Debian Linux, or Solaris.  Nor can I replicate it using
the version of perl supplied with Cygwin.

I'd be interested to hear if a similar bug exists in Activestate's build
of perl for Linux and Solaris, which I didn't try.

In any case, if an attacker can inject his choice of data into a
system() function, then all bets are off so this is not something that
the users should worry too much about.

-- 
David Cantrell | Benevolent Dictator | http://www.cantrell.org.uk/david

<davorg> clowns are scary
<gbjk>   I concur. It's their motivation that worries me.
    -- in #london.pm

Current thread:

Buffer Overflow in ActivePerl ? Oliver () greyhat de (May 17)
- Re: Buffer Overflow in ActivePerl ? rich . sf (May 18)
  - RE: [Full-Disclosure] Re: Buffer Overflow in ActivePerl ? Bill Royds (May 18)
  - Re: Buffer Overflow in ActivePerl ? Josh Tolley (May 18)
- Re: Buffer Overflow in ActivePerl? Axel Beckert (May 18)
- Re: Buffer Overflow in ActivePerl ? Nick FitzGerald (May 18)
- <Possible follow-ups>
- Re: Buffer Overflow in ActivePerl ? noderat (May 18)
- RE: Buffer Overflow in ActivePerl ? Drew Copley (May 18)
  - Re: Buffer Overflow in ActivePerl ? David Cantrell (May 19)
    - Re: Buffer Overflow in ActivePerl ? David Ahmad (May 19)