Description
The Safe module did not properly restrict the code of implicitly called
methods (such as DESTROY and AUTOLOAD) on implicitly blessed objects
returned as a result of unsafe code evaluation. These methods could have
been executed unrestricted by Safe when such objects were accessed or
destroyed. A specially-crafted Perl script executed inside of a Safe
compartment could use this flaw to bypass intended Safe module
restrictions. (CVE-2010-1168)
The Safe module did not properly restrict code compiled in a Safe
compartment and executed out of the compartment via a subroutine reference
returned as a result of unsafe code evaluation. A specially-crafted Perl
script executed inside of a Safe compartment could use this flaw to bypass
intended Safe module restrictions, if the returned subroutine reference was
called from outside of the compartment. (CVE-2010-1447)
Multiple race conditions were found in the way the File::Path module's
rmtree function removed directory trees. A malicious, local user with write
access to a directory being removed by a victim, running a Perl script
using rmtree, could cause the permissions of arbitrary files to be changed
to world-writable and setuid, or delete arbitrary files via a symbolic link
attack, if the victim had the privileges to change the permissions of the
target files or to remove them. (CVE-2008-5302, CVE-2008-5303)