Bug 36125 - perl: Multiple issues (3.2)
perl: Multiple issues (3.2)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-x-errata
Assigned To: Security maintainers
: 37705 (view as bug list)
Depends on: 41951
  Show dependency treegraph
Reported: 2014-10-10 13:21 CEST by Moritz Muehlenhoff
Modified: 2019-04-11 19:25 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2014-10-10 13:21:12 CEST
Denial of service in Data:Dumper (CVE-2014-4330)
Comment 1 Arvid Requate univentionstaff 2016-03-04 08:52:44 CET
*** Bug 37705 has been marked as a duplicate of this bug. ***
Comment 2 Arvid Requate univentionstaff 2016-03-04 09:04:31 CET
Upstream Debian package version 5.14.2-21+deb7u3 fixes this issue:

* ambiguous environment variables handling (CVE-2016-2381)

A bug has been found in the environment handling in Perl. Perl provides a Perl-space hash variable, %ENV, in which environment variables can be looked up.  If a variable appears twice in envp, only the last value would appear in %ENV, but getenv would return the first. Perl's taint security mechanism would be applied to the value in %ENV, but not to the other rest of the environment.  This could result in an ambiguous environment causing environment variables to be propagated to subprocesses, despite the protections supposedly offered by taint

With this update Perl changes the behavior to match the following:

 a) %ENV is populated with the first environment variable, as getenv
    would return.
 b) Duplicate environment entries are removed.
Comment 3 Arvid Requate univentionstaff 2016-08-09 19:16:33 CEST
Upstream Debian Wheezy package version 5.14.2-21+deb7u4 fixes these issues:

* The following modules in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory: (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL. (CVE-2016-1238)

* The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory. (CVE-2016-6185)

CVE-2016-1238: CVSS v2 base score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C)
CVE-2016-6185: CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Comment 4 Stefan Gohmann univentionstaff 2017-06-16 20:40:48 CEST
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Comment 5 Stefan Gohmann univentionstaff 2017-08-08 07:11:22 CEST
This issue has been filed against UCS 3.2.

UCS 3.2 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.