[Secure-testing-team] Bug#644108: unsafe use of eval in Digest->new()

Ansgar Burchardt ansgar at debian.org
Sun Oct 2 21:44:39 UTC 2011


Package: perl
Version: 5.10.0-19
Severity: grave
Tags: security upstream

Hi,

the last upstream release of libdigest-perl (1.17) contains a fix for an
unsafe use of eval: the argument to Digest->new($algo) was not checked
properly allowing code injection (in case the value can be changed by
the attacker).

This also affects perl as the module is included in perl-base.

I have attached the update for libdigest-perl I prepared for squeeze
which only contains the relevant fix.

Regards,
Ansgar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libdigest-perl_squeeze.diff
Type: text/x-diff
Size: 1424 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111002/7a3a15f1/attachment.diff>


More information about the Secure-testing-team mailing list