Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Re: Possible security problem in CPAN modules / CVE-2018-25032

by larryl (Monk)
on Apr 01, 2022 at 15:29 UTC ( [id://11142608]=note: print w/replies, xml ) Need Help??


in reply to Possible security problem in CPAN modules / CVE-2018-25032

Hi Rene -

Re.:

I have done a casual grep through my local CPAN mirror (yay for local mirrors!), which has given me a list of potentially vulnerable modules.

Could you share what patterns you were grepping for?

Thanks! Larry

  • Comment on Re: Possible security problem in CPAN modules / CVE-2018-25032

Replies are listed 'Best First'.
Re^2: Possible security problem in CPAN modules / CVE-2018-25032
by cavac (Parson) on Apr 03, 2022 at 08:58 UTC

    Basically, i grepped for zlib.c and deflate.c (and i think libz.c as well). As i said, my check was very simplistic. It didn't start as "which packages have a problem", but more along the lines of "let's estimate the size of the problem".

    I was limited on time i could spend on this. As best as i could, i tried compiling a list of maintainers email adresses and send them a mail, then posted this thread on PM. After that, i had to go back to my regularly scheduled slavery.

    perl -e 'use Crypt::Digest::SHA256 qw[sha256_hex]; print substr(sha256_hex("the Answer To Life, The Universe And Everything"), 6, 2), "\n";'
[reply]
[d/l]
Re^2: Possible security problem in CPAN modules / CVE-2018-25032
by JedClampett (Acolyte) on Apr 06, 2022 at 16:05 UTC

    I believe this is all of them though maybe the string I looked for needs tweaking

    https://grep.metacpan.org/search?q=exclude+worst+case+performance+for+pathological+files&qd=&qft=&qls=on

    You can also look for the files if you checkout the repo grep.metacpan.org uses. At which point you get:

    $>git ls-files |egrep '(in|de)flate\.c' 
A/Alien-FreeImage/src/Source/ZLib/deflate.c
A/Alien-FreeImage/src/Source/ZLib/inflate.c
A/Archive-Unzip-Burst/unzip-6.0/inflate.c
B/BackupPC-XS/zlib/deflate.c
B/BackupPC-XS/zlib/inflate.c
B/Business-KontoCheck/zlib/deflate.c
B/Business-KontoCheck/zlib/inflate.c
C/Compress-Raw-Zlib/zlib-src/deflate.c
C/Compress-Raw-Zlib/zlib-src/inflate.c
C/Compress-Zopfli/zopflib/src/zopfli/deflate.c
F/Filter-gunzip/devel/exe-zlib-inflate.c
G/Git-Raw/deps/libgit2/deps/zlib/deflate.c
G/Git-Raw/deps/libgit2/deps/zlib/inflate.c
G/Git-XS/xs/libgit2/deps/zlib/deflate.c
G/Git-XS/xs/libgit2/deps/zlib/inflate.c
I/Image-PNG-Simple/zlib-1.2.8/deflate.c
I/Image-PNG-Simple/zlib-1.2.8/inflate.c
L/LibZip/myldr/zlib-src/deflate.c
L/LibZip/myldr/zlib-src/inflate.c
P/PDL-IO-Matlab/matio-1.5.0/src/inflate.c
P/Protocol-WebSocket-Fast/clib/tests/deflate/deflate.cc
T/Tk/PNG/zlib/deflate.c
T/Tk/PNG/zlib/inflate.c
W/Win32-File-Summary/deflate.c
W/Win32-File-Summary/inflate.c
c/cppAdaptive1/src/dlib/external/zlib/deflate.c
c/cppAdaptive1/src/dlib/external/zlib/inflate.c
c/cppAdaptive2/src/dlib/external/zlib/deflate.c
c/cppAdaptive2/src/dlib/external/zlib/inflate.c
p/perl/cpan/Compress-Raw-Zlib/zlib-src/deflate.c
p/perl/cpan/Compress-Raw-Zlib/zlib-src/inflate.c

    [download]
[reply]
[d/l]
[reply]

In Section Perl News

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://11142608]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others romping around the Monastery: (8)
As of 2024-04-23 17:54 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found