Package: perl Version: 5.10.1-13 Severity: grave Tags: security Hi,
perl includes the current directory as the last element in @INC when not running in taint mode (-T). As many modules try to load other modules that may or may not be installed, this can result in code execution. Example: libtext-csv-perl is installed, libtext-csv-xs-perl is not installed. When running "perl -mText::CSV" (or running any program using Text::CSV) the file ./Text/CSV_XS.pm is loaded and the contained code executed. Other examples include libjson-perl recommending libjson-xs-perl and libyaml-perl recommending libyaml-syck-perl. Regards, Ansgar -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
