Safe.pm 2.24 and earlier, when used in Perl 5.10.0 and earlier, may allow attackers to break out of safe compartment in (1) Safe::reval or (2) Safe::rdo using implicitly called methods (such as DESTROY or AUTOLOAD) on implicitly blessed Perl objects, returned as a result of unsafe code evaluation. These methods could have been executed unrestricted by Safe, when such objects were accessed or destroyed. If a victim was tricked into running a specially-crafted Perl script, using Safe extension module, it could lead to intended Safe module restriction bypass. Different vulnerability than CVE-2010-1447. Solution: Upgrade to Safe.pm v2.25 or higher. References: [1] http://search.cpan.org/~rgarcia/Safe-2.27/Safe.pm Acknowledgements: Red Hat would like to thank Tim Bunce for responsibly reporting this issue. Upstream acknowledges Nick Cleaton as the original reporter.
This is CVE-2010-1168.
*** Bug 593857 has been marked as a duplicate of this bug. ***
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Via RHSA-2010:0457 https://rhn.redhat.com/errata/RHSA-2010-0457.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0458 https://rhn.redhat.com/errata/RHSA-2010-0458.html
perl-5.10.1-116.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.