I'm very concerned about this.
Don't. It isn't that the world is falling apart.
Red flags popped up in my mind when I saw the original syslog() vulnerability. Even with a quick patch to Perl_sv_vcatpvfn and more pertinent security checking, this could hound Perl and seriously damage Perl's security reputation.
Oh, come on. syslog isn't more damaging to your system than rm is. What you should be careful about is passing user input as the second argument to syslog (and then only if you're running under a different ID than the user, or if the user is from the outside). Now, this is possible, but not something that ought to be common.
Care should be taken, yes. But it's not a disaster.
| [reply] |