On 2025-05-22 19:11, Vincent Lefevre wrote: > Hi, > > In February, I reported the following bug in perl: > > https://github.com/Perl/perl5/issues/23010 > > The issue is that under some conditions, perl temporarily changes > the current working directory at a thread creation, which affects > the other threads as a consequence: file accesses related to the > current working directory may actually be done related to another > directory. > > Perl 5.40 and various earlier versions are affected; the bug was > introduced in 2010. > > In the corresponding Debian bug > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226 > > the perl maintainer thinks that this is not regarded as a serious > security issue by upstream. > > The following test shows that arbitrary code execution is a possible > consequence. [..]
Thank you for the report CVE-2025-40909 has been assigned, and the Perl security team is looking into the issue. Best regards, -- Stig Palmquist
