oss-sec mailing list archives

CVE Request: Storable::thaw called on cookie data in multiple CPAN modules

From: John Lightsey <john () nixnuts net>
Date: Sun, 12 May 2013 21:38:58 -0500

Hi everyone,

Several CPAN modules follow the same pattern of calling Storable::thaw()
on session data stored client side with no signature verification
mechanisms in place to prevent tampering. Perl's Storable module was
recently documented as being unsafe for use with untrusted inputs:

http://perl5.git.perl.org/perl.git/commit/664f237a84176c09b20b62dbfe64dd736a7ce05e


The vulnerable modules are:

Both App::Session::Cookie and App::Session::HTMLHidden in the
App::Context bundle.
https://rt.cpan.org/Ticket/Display.html?id=85215


HTML::EP::Session::Cookie in the HTML::EP bundle.
https://rt.cpan.org/Ticket/Display.html?id=85216


Spoon::Cookie in the Spoon bundle.
https://rt.cpan.org/Ticket/Display.html?id=85217

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE Request: Storable::thaw called on cookie data in multiple CPAN modules John Lightsey (May 12)
- Re: CVE Request: Storable::thaw called on cookie data in multiple CPAN modules Kurt Seifried (May 14)