Spoon::Cookie Perl module allows storing data of any type on the client side browser using HTTP cookies. The data is subsequently serialized and deserialized using Perl's Storable module without any further checks for possible tampering. Since the Perl's Storable module has been documented to be unsuitable for these purposes: [1] http://perl5.git.perl.org/perl.git/commit/664f237a84176c09b20b62dbfe64dd736a7ce05e (as reported) the current Spoon::Cookie behaviour is dangerous as it will run Storable::thaw() on arbitrary untrusted user input. A remote attacker could provide a specially-crafted Spoon::Cookie input that, when processed with Storable::thaw() would lead to Storable module to load the module corresponding to the class of the object in the deserializing module, possibly leading to arbitrary code execution (with the privileges of the user running the application utilizing the services of the Spoon::Cookie module). Spoon CPAN module ticket: [2] https://rt.cpan.org/Public/Bug/Display.html?id=85217 References: [3] http://www.openwall.com/lists/oss-security/2013/05/13/1
This issue affects the versions of the perl-Spoon package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update once there is final upstream patch available (doesn't seem to be as of right now).
Created perl-Spoon tracking bugs for this issue Affects: fedora-all [bug 962707] Affects: epel-6 [bug 962708]