|
A new version of Safe (2.08) for
Perl 5.8.0 has been uploaded to the CPAN with a fix. If you're running Perl
5.8.0, replace your Safe.pm file with the one provided in the CPAN
distribution.
If you're running perl version 5.005_03 through 5.6.x, (and possibly older ones, but my time machine doesn't go that far), you can fix the bug by applying two minor changes
to the Safe.pm file:
--- Safe.pm.orig
+++ Safe.pm
@@ -213,7 +213,7 @@
# Create anon sub ref in root of compartment.
# Uses a closure (on $expr) to pass in the code to be executed.
# (eval on one line to keep line numbers as expected by caller)
- my $evalcode = sprintf('package %s; sub { eval $expr; }', $root);
+ my $evalcode = sprintf('package %s; sub { @_ = (); eval $expr; }', $root);
my $evalsub;
if ($strict) { use strict; $evalsub = eval $evalcode; }
@@ -227,7 +227,7 @@
my $root = $obj->{Root};
my $evalsub = eval
- sprintf('package %s; sub { do $file }', $root);
+ sprintf('package %s; sub { @_ = (); do $file }', $root);
return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
}
Those little installation annoyances should be resolved in an upcoming Safe-2.09.
This exploit has been discovered by Andreas Jurenda, who also suggested
the fix. More info about it can be found here.
|
