Bug 41951 - perl: Multiple issues (3.3)
perl: Multiple issues (3.3)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.3
Other Linux
: P5 normal (vote)
: UCS 3.3-1-errata
Assigned To: Philipp Hahn
Janek Walkenhorst
Depends on: 37706
Blocks: 36125
  Show dependency treegraph
Reported: 2016-08-09 19:04 CEST by Arvid Requate
Modified: 2017-07-20 15:01 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-08-09 19:04:10 CEST
+++ This bug was initially created as a clone of Bug #37706 +++

Upstream Debian package version 5.14.2-21+deb7u3 fixes this issue:

* ambiguous environment variables handling (CVE-2016-2381)

A bug has been found in the environment handling in Perl. Perl provides a Perl-space hash variable, %ENV, in which environment variables can be looked up.  If a variable appears twice in envp, only the last value would appear in %ENV, but getenv would return the first. Perl's taint security mechanism would be applied to the value in %ENV, but not to the other rest of the environment.  This could result in an ambiguous environment causing environment variables to be propagated to subprocesses, despite the protections supposedly offered by taint

With this update Perl changes the behavior to match the following:

 a) %ENV is populated with the first environment variable, as getenv
    would return.
 b) Duplicate environment entries are removed.
Comment 1 Arvid Requate univentionstaff 2016-08-09 19:04:23 CEST
Upstream Debian package version 5.14.2-21+deb7u4 fixes these issues:

* The following modules in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory: (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL. (CVE-2016-1238)

* The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory. (CVE-2016-6185)

CVE-2016-1238: CVSS v2 base score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C)
CVE-2016-6185: CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Comment 2 Philipp Hahn univentionstaff 2016-09-28 15:38:55 CEST
repo_admin.py --cherrypick -r 4.1 -s errata4.1-3 --releasedest 3.3 --dest errata3.3-0 -p perl

Package: perl
Version: 5.14.2-21~ucs3.3.83.201609281453
Branch: ucs_3.3-0
Scope: errata3.3-0

r72882 | Bug #41951: perl UCS-3.3-0 YAML
Comment 3 Philipp Hahn univentionstaff 2016-09-29 09:34:54 CEST
UCS-3.3 still uses perl-5.10, which is *not* ABI compatible with perl-5.14: It would require all perl modules to be re-built; see Bug #41199

The source and binaries have been removed.
 r72889 | Bug #29524 repo: Fix removing source revisions
The YAML was removed.
 r72888 | Bug #41951: perl UCS-3.3-0 YAML
Comment 4 Arvid Requate univentionstaff 2016-10-04 11:41:00 CEST
We need to fix the issues, at least the high risc ones, one way or the other.

Comment 5 Arvid Requate univentionstaff 2016-10-04 11:50:23 CEST
This is also a "nice" example of the use of CVSS:

CVE-2016-1238: CVSS v2 base score: 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P


CVE-2016-1238: CVSS v2 base score: 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C

Comment 6 Philipp Hahn univentionstaff 2016-11-30 16:42:08 CET
<https://launchpad.net/ubuntu/precise/+source/perl>: perl 5.14.2-6ubuntu2.5
Red-Hat: 2381=wont-fix 1238=fixed 6185=fixed
SUSE: <http://lists.suse.com/pipermail/sle-security-updates/2016-September/002256.html>

$ git l1 --no-merges origin/wheezy..origin/wheezy-security
CVE-2016-2381: Fixed
 e00a7a5 remove duplicate environment variables from environ

CVE-2016-6185: Not vulnerable — problematic XSLoader.load() w/o arguments not yet implemented
 fbb165e Don’t let XSLoader load relative paths

 25a3df3 Make Module::Build set PERL_USE_UNSAFE_INC
 0dfa18f Enable "." to be removed from @INC in /etc/perl/sitecustomize.pl
 5c16571 Look for sitecustomize.pl in /etc/perl rather than sitelib on Debian systems
 f4cd6dc Set PERL_USE_UNSAFE_INC for cpan usage
 7044e18 Add PERL_USE_UNSAFE_INC support to EU::MM for fortify_inc support.
 9bd33ab Patch unit tests to explicitly insert "." into @INC when needed.
 ac40b2f cpan/: remove . from @INC when loading optional modules
 89d956d dist/: remove . from @INC when loading optional modules
 da2b683 perl5db.pl: ensure PadWalker is loaded from standard paths
 6bdc805 (perl #127834) remove . from the end of @INC if complex modules are loaded

Not merged:
 658947e Remove test for '.' in @INC as it might not be — not yet present
 1d17a59 releasing package perl version 5.14.2-21+deb7u4
 a9f5a7e Add changelog for CVE-2016-1238 changes

conv 10multiarch.patch 0001-multiarch.patch 0001-multiarch.quilt
conv 11multiarch.patch 0002-multiarch.quilt
conv 12gcc45.patch 0003-gcc45.quilt
git format-patch -o ~/src/patches/perl/3.3-0-0-ucs/5.10.1-17squeeze6-errata3.3-0 --start-number=4 --no-numbered --signoff --suffix '.quilt' origin/squeeze..
mv 0013-Enable-.-to-be-removed-from-INC-in-etc-perl-sitecust.quilt 0013-Enable-.-to-be-removed-from-INC-in-etc-perl-sitecust.patch

Package: perl
Version: 5.10.1-17.85.201611301352
Version: 5.10.1-17.86.201611301406
Branch: ucs_3.3-0
Scope: errata3.3-0

r74846 | Bug #41951: perl UCS-3.3-0 YAML
Comment 7 Janek Walkenhorst univentionstaff 2017-07-13 19:39:26 CEST
Moved bug and advisory to 3.3-1.
Comment 8 Janek Walkenhorst univentionstaff 2017-07-14 17:10:29 CEST
Advisory: OK
Tests: OK
Comment 9 Janek Walkenhorst univentionstaff 2017-07-20 15:01:04 CEST