CVE-2011-1487

Published: 11 April 2011

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

Priority

Low

Status

Package Release Status
perl
Launchpad, Ubuntu, Debian
Upstream
Released (5.10.1-20)
Patches:
Upstream: http://perl5.git.perl.org/perl.git/commit/539689e74a3bcb04d29e4cd9396de91a81045b99

Notes

AuthorNote
mdeslaur
see: http://www.nntp.perl.org/group/perl.perl5.porters/2011/04/msg171010.html
dapper and hardy were before the vulnerable code was introduced

References

Bugs