Ansgar Burchardt
2011-Oct-02 21:44 UTC
[Secure-testing-team] Bug#644108: unsafe use of eval in Digest->new()
Package: perl Version: 5.10.0-19 Severity: grave Tags: security upstream Hi, the last upstream release of libdigest-perl (1.17) contains a fix for an unsafe use of eval: the argument to Digest->new($algo) was not checked properly allowing code injection (in case the value can be changed by the attacker). This also affects perl as the module is included in perl-base. I have attached the update for libdigest-perl I prepared for squeeze which only contains the relevant fix. Regards, Ansgar -------------- next part -------------- A non-text attachment was scrubbed... Name: libdigest-perl_squeeze.diff Type: text/x-diff Size: 1424 bytes Desc: not available URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20111002/7a3a15f1/attachment.diff>