--- On Mon, 22/9/08, Shlomi Fish <[EMAIL PROTECTED]> wrote:

> http://rt.cpan.org/Ticket/Display.html?id=39516
> 
> Please don't keep it more public than it is already
> until there's a good fix.

Why not?  I am completely at a loss here.

You have not addressed the fundamental issue.  If a malicious user has access 
to your box, how is this *remotely* an attractive target?  Seriously, I want to 
understand this because clearly my admittedly poor knowledge of security is 
even poorer than I thought.

Could you please explain how someone would really attack this?  I understand 
your 'rm -fr $HOME' example, but you've not shown how someone could even come 
close to taking advantage of that race condition.

First, you have to consider systems on which:

* Perl is actively used
* People using Perl use CPAN or CPANPLUS instead of installing directly.
* Why a malicious attacker is willing to wait around for that infrequent usage
* How they could conceivably exploit it

Don't get me wrong.  I acknowledge the race condition here, but we're talking 
about an IDIOT attacker going after something so ridiculously difficult to 
exploit in lieu of an incredibly target-rich field since you assume they have 
access to the box.

Again, I know little about this issue, so your addressing those points would be 
helpful.  Remember, in security, the most important things to address are those 
with a low cost to benefit ratio and I'm just not seeing that here.

Cheers,
Ovid
--
Buy the book         - http://www.oreilly.com/catalog/perlhks/
Tech blog            - http://use.perl.org/~Ovid/journal/
Twitter              - http://twitter.com/OvidPerl
Official Perl 6 Wiki - http://www.perlfoundation.org/perl6

Reply via email to