[Copying Andreas, Jos, Schwern and the Module::Build list]
Well, I'm not sure that escalating to Securiteam at this point was
necessary given the low overall risk of the threat, but let's set that
aside and find some agreement on closing the hole. Here are my
thoughts on some of the problems/opti
On Mon, Sep 22, 2008 at 3:00 PM, David Golden <[EMAIL PROTECTED]> wrote:
> Problem 1: race condition between unarchiving and execution if
> Makefile.PL or Build.PL is world writable (ditto test files as well)
>
> (a) Have CPAN and CPANPLUS refuse to run 'perl *.PL' if the PL in
> question is world
> On Mon, 22 Sep 2008 16:00:41 -0400, "David Golden" <[EMAIL PROTECTED]>
> said:
> Problem 1: race condition between unarchiving and execution if
> Makefile.PL or Build.PL is world writable (ditto test files as well)
> (a) Have CPAN and CPANPLUS refuse to run 'perl *.PL' if the PL
# from Ken Williams
# on Monday 22 September 2008 13:45:
>> (a) Have CPAN and CPANPLUS refuse to run 'perl *.PL' if the PL in
>> question is world writable.
>
>That wouldn't completely solve the problem, since someone could
>quickly rewrite *.PL and change it to non-writable status. Note that
>a
On Mon, Sep 22, 2008 at 5:23 PM, Eric Wilhelm
<[EMAIL PROTECTED]> wrote:
>
> Would that "tracks-covering chmod" not require *ownership* of the file?
According to the man page for chmod(1), yes, but on Win32 doesn't a
world-writable file mean it's world-replaceable too?
In any case, I was also try
On Mon, Sep 22, 2008 at 6:23 PM, Eric Wilhelm
<[EMAIL PROTECTED]> wrote:
> Yes. Would someone please explain to me how this issue is not already
> made a mostly non-issue by having a proper umask and running CPAN as
> non-root?
Someone in the thread (sorry, forget who and I'm not going to search
> On Mon, 22 Sep 2008 22:37:55 +0200, [EMAIL PROTECTED] (Andreas J. Koenig)
> said:
>> (d) Something else
> I lean toward PAUSE not indexing them thus pulling the plug as early
> as possible.
And so I have implemented it now. If it breaks too much in too short
time, we could probab
On Monday 22 September 2008 15:23:44 Eric Wilhelm wrote:
> Yes. Would someone please explain to me how this issue is not already
> made a mostly non-issue by having a proper umask and running CPAN as
> non-root?
If I were so inclined and had access to your machine, I could do a lot of
damage th
On Sep 23, 2008, at 6:30 AM, Andreas J. Koenig wrote:
On Mon, 22 Sep 2008 22:37:55 +0200, andreas.koenig.
[EMAIL PROTECTED] (Andreas J. Koenig) said:
(d) Something else
I lean toward PAUSE not indexing them thus pulling the plug as early
as possible.
And so I have implemented it now. If
> On Tue, 23 Sep 2008 11:40:09 +0200, "Jos I. Boumans" <[EMAIL PROTECTED]>
> said:
>> And so I have implemented it now. If it breaks too much in too short
>> time, we could probably revert it, but first I'd like to see how bad
>> we really do.
> I agree to this (first) solution; thi
2008/9/30 Andreas J. Koenig <[EMAIL PROTECTED]>:
>> On Tue, 23 Sep 2008 11:40:09 +0200, "Jos I. Boumans" <[EMAIL PROTECTED]>
>> said:
>
> >> And so I have implemented it now. If it breaks too much in too short
> >> time, we could probably revert it, but first I'd like to see how bad
> >
11 matches
Mail list logo
