oss-sec mailing list archives

Re: CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow


From: Sam James <sam () gentoo org>
Date: Tue, 21 Apr 2026 22:24:40 +0100

Sam James <sam () gentoo org> writes:

Robert Rothenberg <rrwo () cpansec org> writes:

========================================================================
CVE-2017-20230                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2017-20230
  Distribution:  Storable
      Versions:  before 3.05

      MetaCPAN:  https://metacpan.org/dist/Storable
      VCS Repo:  https://github.com/Perl/perl5/


Storable versions before 3.05 for Perl has a stack overflow

Description
-----------
Storable versions before 3.05 for Perl has a stack overflow.

The retrieve_hook function stored the length of the class name into a
signed integer but in read operations treated the length as unsigned.
This allowed an attacker to craft data that could trigger the overflow.

I'm always suspicious by default of anything involving
serialisation. The perldoc for Storable [0] says:
Do not accept Storable documents from untrusted sources! There is no
way to configure Storable so that it can be used safely to process untrusted data. 

and later (between much other omitted text):
With the default setting of $Storable::flags = 6, creating or
destroying random objects, even renamed objects can be controlled by
an attacker.
See CVE-2015-1592 and its metasploit module.

Is this vulnerability valid in light of that? Thanks.

In fact, the linked patch in the original message from Robert has in its
commit message:
No CVE since p5p believes local Storable
files are not exploitable.

Has the p5p policy changed on this? If so, could the perldoc be updated
please?

(My own view is that it should not change, of course.)


[0] https://perldoc.perl.org/Storable#SECURITY-WARNING

[...]

sam

Attachment: signature.asc
Description:


Current thread: