Storable security problems and overlarge data

Some people might be aware that we (not p5p) fixed Storable already for the most egregious security problems with Storable, with public CVE, explanation and metasploit module, but those bugs are still in Storable as on CPAN and in the latest perl5.24.

Now a new problem arose on the horizon, that p5p dares to fix another bug, the inability to store overlarge strings. Which would be okay if they would have taken our fixes, which fixes the security problem and all overlarge data >I32, which are arrays and hashes also. But they didn't, so I have to complain again. People apparently don't like me to complain about p5p mistakes, but you should be concerned what p5p is doing.

See perl #127743 for the wrong fix, adding 2 new ops, where only one is needed, and this fix only fixes a third of the overlarge problem, and not the security problems. There's no need for them to deviate from the API with a worse fix.

And compare that to the real fixes at cperl, which I sent to Tony some time ago, but apparently with no effect. So they are playing dumb again.

Note that this is now a security problem they are avoiding to fix.

cperl #120

cperl #121

Note that I cannot fix that for you on CPAN, as Storable is maintained by p5p. It's only fixed for us. A fair warning.

And for the ones who are wondering: I'm not able to even post the fixes to the proper ticket and list, as they blocked me there. The reason for the block was entirely fabricated, normal censorship to silence criticism.

About Reini Urban

user-pic Working at cPanel on cperl, B::C (the perl-compiler), parrot, B::Generate, cygwin perl and more guts, keeping the system alive.