|From:||pali [...] cpan.org|
|Subject:||croak: CWE-134: Use of Externally-Controlled Format String|
|To:||perl5-security-report [...] perl.org|
|Date:||Thu, 10 Aug 2017 14:13:45 +0200|
Hi! In perlblead there are at lest 3 places where arbitrary string supplied by caller can be passed into Perl_croak function which expects printf-style arguments. One is in eval_pv() implementation from cpan/Devel-PPPort/parts/inc/call second in Socket.xs and third is in documentation sample for my_eval_sv in perlembed.pod. Probably there are also other places, but I have not looked deeply. In all three places is printf-style format argument taken from ERRSV, $@ variable which can contain arbitrary string set by user or also by remote system. E.g. when remote database server throw error, DBI driver propagate this error (or part of it) via $@ to caller. Malicious remote system via specially crafted error message then can cause problems like buffer overflow or overwriting other part of process memory.