oss-sec mailing list archives
Re: CVE Request: Storable::thaw called on cookie data in multiple CPAN modules
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 14 May 2013 01:06:09 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/12/2013 08:38 PM, John Lightsey wrote:
Hi everyone, Several CPAN modules follow the same pattern of calling Storable::thaw() on session data stored client side with no signature verification mechanisms in place to prevent tampering. Perl's Storable module was recently documented as being unsafe for use with untrusted inputs: http://perl5.git.perl.org/perl.git/commit/664f237a84176c09b20b62dbfe64dd736a7ce05e The vulnerable modules are: Both App::Session::Cookie and App::Session::HTMLHidden in the App::Context bundle. https://rt.cpan.org/Ticket/Display.html?id=85215
Please use CVE-2012-6141 for this issue
HTML::EP::Session::Cookie in the HTML::EP bundle. https://rt.cpan.org/Ticket/Display.html?id=85216
Please use CVE-2012-6142 for this issue
Spoon::Cookie in the Spoon bundle. https://rt.cpan.org/Ticket/Display.html?id=85217
Please use CVE-2012-6143 for this issue - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRkeJhAAoJEBYNRVNeJnmT60oQAJC41gsGkHU1SkjCkdNYkgcH av4WLfibJX+c2otdNJP7V88mytskcWw61SDMtS1EfS/EmZyGiZk+e0lDeg9x3yF/ W9h8Bx5WElKSEb5aAus/m3Wddk41vNEAITwPv8DH3kNKZbOhHOthEVYio8PLO3bd KNW1hsQ+Pt5F7/GqNDKDEt3EyXkHIWGy9HjKPJddkFz+OwOgvWC1Ud6Wr0lSNBIM cGyMOrJjbnj/MAQG5RLXggGAinRUpYObzVdw7M7dx1J33dGVxjsNOpNdhGdzVa8B VWxXdoCatDf9WJzJ6Vgezs5CDIZpInA4ulclQhxFgQXOCDQwk0KRuV4rEG41EDsb VTiCCN86dWC5mgM5NKGC/xElZNl9R1qRIm5wCJ+HKo9Pe+vI8Og1X8lfXXLzGldL R+fkQ1m9fV49Ew4puTmngOx/4w249f99DGgrzDEUwt6V/QE7jAu5PtW/eBvOY7rU S4D9r27L9yJPGM+IXbkUGmyG9BFmWJvZ0OF5I8Bp8DbV+rJ2mlotNL0mSwhKAr/l Z5SKnNPBbwT8SDokvqyf33KUl92ngThGLUCF9ZZP5LPPr8n7mi2d+ksGDgELBEy9 g2LM//sXKXIjvahKUBsz4KKDQCM0xwHLe6A6wYSu3cbBl5HjpmyA5hHRrgZfcjSH u0VVTwb16RR3fQk6Ys0Y =MBVM -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Storable::thaw called on cookie data in multiple CPAN modules John Lightsey (May 12)
- Re: CVE Request: Storable::thaw called on cookie data in multiple CPAN modules Kurt Seifried (May 14)