Univention Bugzilla – Bug 37706
perl: Multiple issues (4.1)
Last modified: 2017-10-26 13:53:55 CEST
Denial of service in regexp processing (CVE-2013-7422) (only recently assigned)
[wheezy] - perl <no-dsa> (Minor issue)
Upstream Debian package version 5.14.2-21+deb7u3 fixes this issue: * ambiguous environment variables handling (CVE-2016-2381) Details: A bug has been found in the environment handling in Perl. Perl provides a Perl-space hash variable, %ENV, in which environment variables can be looked up. If a variable appears twice in envp, only the last value would appear in %ENV, but getenv would return the first. Perl's taint security mechanism would be applied to the value in %ENV, but not to the other rest of the environment. This could result in an ambiguous environment causing environment variables to be propagated to subprocesses, despite the protections supposedly offered by taint checking. With this update Perl changes the behavior to match the following: a) %ENV is populated with the first environment variable, as getenv would return. b) Duplicate environment entries are removed.
Upstream Debian package version 5.14.2-21+deb7u4 fixes these issues: * The following modules in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory: (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL. (CVE-2016-1238) * The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory. (CVE-2016-6185) CVE-2016-1238: CVSS v2 base score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C) CVE-2016-6185: CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
repo_admin.py -U -r 4.1 -s errata4.1-3 -d wheezy -p perl r16750 Package: perl Version: 5.14.2-21.82.201609281452 Branch: ucs_4.1-0 Scope: errata4.1-3 r72881 | Bug #37706: perl UCS-4.1-3 YAML perl.yaml
https://security-tracker.debian.org/tracker/CVE-2013-7422 is not fixed, because Debian considers it a minor issue. I took it out of the Advisory. Verified: * DSA version imported and built * UCS patch converted to quilt and applied during built * Package update Ok * Advisory Ok
<http://errata.software-univention.de/ucs/4.1/298.html>