oss-sec mailing list archives

Re: CVE Request: Storable::thaw called on cookie data in multiple CPAN modules

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 14 May 2013 01:06:09 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/12/2013 08:38 PM, John Lightsey wrote:

Hi everyone,

Several CPAN modules follow the same pattern of calling
Storable::thaw() on session data stored client side with no
signature verification mechanisms in place to prevent tampering.
Perl's Storable module was recently documented as being unsafe for
use with untrusted inputs:

http://perl5.git.perl.org/perl.git/commit/664f237a84176c09b20b62dbfe64dd736a7ce05e



The vulnerable modules are:

Both App::Session::Cookie and App::Session::HTMLHidden in the 
App::Context bundle. 
https://rt.cpan.org/Ticket/Display.html?id=85215


Please use CVE-2012-6141 for this issue

HTML::EP::Session::Cookie in the HTML::EP bundle. 
https://rt.cpan.org/Ticket/Display.html?id=85216



Please use CVE-2012-6142  for this issue

Spoon::Cookie in the Spoon bundle. 
https://rt.cpan.org/Ticket/Display.html?id=85217


Please use CVE-2012-6143 for this issue


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRkeJhAAoJEBYNRVNeJnmT60oQAJC41gsGkHU1SkjCkdNYkgcH
av4WLfibJX+c2otdNJP7V88mytskcWw61SDMtS1EfS/EmZyGiZk+e0lDeg9x3yF/
W9h8Bx5WElKSEb5aAus/m3Wddk41vNEAITwPv8DH3kNKZbOhHOthEVYio8PLO3bd
KNW1hsQ+Pt5F7/GqNDKDEt3EyXkHIWGy9HjKPJddkFz+OwOgvWC1Ud6Wr0lSNBIM
cGyMOrJjbnj/MAQG5RLXggGAinRUpYObzVdw7M7dx1J33dGVxjsNOpNdhGdzVa8B
VWxXdoCatDf9WJzJ6Vgezs5CDIZpInA4ulclQhxFgQXOCDQwk0KRuV4rEG41EDsb
VTiCCN86dWC5mgM5NKGC/xElZNl9R1qRIm5wCJ+HKo9Pe+vI8Og1X8lfXXLzGldL
R+fkQ1m9fV49Ew4puTmngOx/4w249f99DGgrzDEUwt6V/QE7jAu5PtW/eBvOY7rU
S4D9r27L9yJPGM+IXbkUGmyG9BFmWJvZ0OF5I8Bp8DbV+rJ2mlotNL0mSwhKAr/l
Z5SKnNPBbwT8SDokvqyf33KUl92ngThGLUCF9ZZP5LPPr8n7mi2d+ksGDgELBEy9
g2LM//sXKXIjvahKUBsz4KKDQCM0xwHLe6A6wYSu3cbBl5HjpmyA5hHRrgZfcjSH
u0VVTwb16RR3fQk6Ys0Y
=MBVM
-----END PGP SIGNATURE-----

Current thread:

CVE Request: Storable::thaw called on cookie data in multiple CPAN modules John Lightsey (May 12)
- Re: CVE Request: Storable::thaw called on cookie data in multiple CPAN modules Kurt Seifried (May 14)