The Perl Journal February, 2005
The Perl Foundation is looking for money that it can give away. Specifically, the Foundation would like to provide funding in 2005 and 2006 to Larry Wall, Patrick Michaud, Leopold Totsch, and an unspecified "second Parrot developer." According to Allison Randal, the timing is urgent: "Parrot and Perl 6 are both close enough to completion that a few full-time developers could polish them off in a very small number of 'Christmases.' Another (more urgent) reason is that we've just learned that we have about 6 weeks left of Leo's time before he's forced to take a sabbatical from Parrot to pursue the noble task of 'putting food on the table.' This would set the project back by six months or more. So here we stand, on the edge of acceleration or a severe setback."
The German Perl Workshop was recently able to raise enough money to fund 20 days of development; each day of development time costs $200. The Perl 6 & Parrot Proposal (http://www .perlfoundation.org/gc/grants/2005-p6-proposal.html) shows the cost of achieving each milestone in development. Donations to The Perl Foundation can be made online at https://donate.perlfoundation.org/ index.pl?node=Contribution%20Info.
Autrijus Tang launched a new project to create an interpreter for Perl 6: Pugs. Written in Haskell, Pugs "aims to implement the full Perl6 specification, as detailed in the Synopses." Work on Pugs has been proceeding at a breakneck rate: Autrijus has attracted 11 other developers to the project, and after only a month of development, they've succeeded in getting the Perl 6 module Test.pm to run correctly. Pugs is up to version 6.0.8 and is available from CPAN. It's licensed under both GPL Version 2 and Artistic License Version 2.0b5.
According to the FAQ at http://pugscode.org/, "Similar to perl5, Pugs first compiles Perl 6 program to an AST, then executes it using the built-in evaluator. However, in the future Pugs may also provide a compiler interface that supports different compiler back ends. If implemented, the first compiler backend will likely be generating Perl 6 code, similar to the B::Deparse module. The next one may generate Haskell code, which can then be compiled to C by GHC. At that point, it may make sense to target the Parrot virtual machine. Other back ends (such as perl5 bytecode) may be added if people are willing to work on them."
Gabor Szabo has launched a new web site, http://www.cpanforum .com/, for discussion of CPAN modules. He notes: "One of the objectives is to let people easily monitor discussions on several modules of their interest without subscribing to many mailing lists. It will also help lots of module authors for modules that do not have a mailing list (I guess about 95 percent of all the modules on CPAN) to provide support." Users can opt to be notified by e-mail when new messages are posted to the forums that interest them, and an RSS feed is also available.
Andy Lester has reorganized his Phalanx project, an effort to add tests to CPAN modules, find hidden bugs, and improve documentation. When his initial group of 12 testers, each working alone, failed to produce any additional tests, Andy decided to make the project more community-oriented. A web site has been put up at http://qa.perl.org/phalanx/; a wiki has been organized at http://phalanx.kwiki.org/; and a perl-qa list is hosted at lists.perl.org.
"When Ponie was announced in July 2003, we knew that it would require a regression test suite larger than Perl had ever had before. Fortunately, with the CPAN, we have a huge selection to choose from," Andy explains. "We're hoping that the 100 distributions we've selected, mostly on rough statistical analysis of usage, will cover a huge part of the CPAN that's used by the Perl community...Bugs will be found. They're out there."
Kevin Finisterre has discovered two means by which a malicious local user can take control of a machine using setuid perl. Both depend on manipulating the "PERLIO_DEBUG" environment variable PerlIO. Kevin comments: "In the July 18, 2002 highlights for Perl 5.8.0 there was a 'New IO Implementation' added called PerlIO. The new PerlIO implementation was described as both a portable stdio implementation (at the source code level) and a flexible new framework for richer I/O behaviours. As an attacker, I would definitely say that PerlIO has some rich behavior."
One method of attack uses PERLIO_DEBUG to cause a buffer overflow in the function responsible for logging the PerlIO data. The second exploits PERLIO_DEBUG message output with setuid to create root-owned files with world-writable permissions. "At this point, the game is pretty much over," Kevin explains. "Since the file is world-writable the attacker can add any content he or she desires to the file that was created. Charles Stevenson suggested that a file could be written to /etc/crond.d/xxxx, which would allow an attacker to control the machine with the next run of cron. I considered a few alternatives like writing to root's crontab, making an sshd root authorized_key file, as well as a few others. In my example exploit, I took a more immediate and risky route by writing to /etc/ld.so.preload and providing a trojan."
Rafael Garcia-Suarez fixed the security holes in bleadperl, and Mandrake provided a patch, available at http://cvs.mandrakesoft .com/cgi-bin/cvsweb.cgi/~checkout~/SPECS/perl/perl-5.8.6-bug33990.patch?rev=1.1&content-type=text/plain.