Univention Bugzilla – Full Text Bug Listing |
Summary: | perl: Multiple issues (3.3) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Janek Walkenhorst <walkenhorst> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, requate |
Version: | UCS 3.3 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 3.3-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=41199 | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | |||
Bug Depends on: | 37706 | ||
Bug Blocks: | 36125 |
Description
Arvid Requate
2016-08-09 19:04:10 CEST
Upstream Debian package version 5.14.2-21+deb7u4 fixes these issues: * The following modules in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory: (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL. (CVE-2016-1238) * The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory. (CVE-2016-6185) CVE-2016-1238: CVSS v2 base score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C) CVE-2016-6185: CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) repo_admin.py --cherrypick -r 4.1 -s errata4.1-3 --releasedest 3.3 --dest errata3.3-0 -p perl Package: perl Version: 5.14.2-21~ucs3.3.83.201609281453 Branch: ucs_3.3-0 Scope: errata3.3-0 r72882 | Bug #41951: perl UCS-3.3-0 YAML perl.yaml UCS-3.3 still uses perl-5.10, which is *not* ABI compatible with perl-5.14: It would require all perl modules to be re-built; see Bug #41199 The source and binaries have been removed. r72889 | Bug #29524 repo: Fix removing source revisions The YAML was removed. r72888 | Bug #41951: perl UCS-3.3-0 YAML We need to fix the issues, at least the high risc ones, one way or the other. https://security-tracker.debian.org/tracker/CVE-2016-2381 This is also a "nice" example of the use of CVSS: CVE-2016-1238: CVSS v2 base score: 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P https://access.redhat.com/security/cve/cve-2016-2381 CVE-2016-1238: CVSS v2 base score: 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1238 <https://launchpad.net/ubuntu/precise/+source/perl>: perl 5.14.2-6ubuntu2.5 Red-Hat: 2381=wont-fix 1238=fixed 6185=fixed SUSE: <http://lists.suse.com/pipermail/sle-security-updates/2016-September/002256.html> $ git l1 --no-merges origin/wheezy..origin/wheezy-security CVE-2016-2381: Fixed e00a7a5 remove duplicate environment variables from environ CVE-2016-6185: Not vulnerable — problematic XSLoader.load() w/o arguments not yet implemented fbb165e Don’t let XSLoader load relative paths CVE-2016-1238: 25a3df3 Make Module::Build set PERL_USE_UNSAFE_INC 0dfa18f Enable "." to be removed from @INC in /etc/perl/sitecustomize.pl 5c16571 Look for sitecustomize.pl in /etc/perl rather than sitelib on Debian systems f4cd6dc Set PERL_USE_UNSAFE_INC for cpan usage 7044e18 Add PERL_USE_UNSAFE_INC support to EU::MM for fortify_inc support. 9bd33ab Patch unit tests to explicitly insert "." into @INC when needed. ac40b2f cpan/: remove . from @INC when loading optional modules 89d956d dist/: remove . from @INC when loading optional modules da2b683 perl5db.pl: ensure PadWalker is loaded from standard paths 6bdc805 (perl #127834) remove . from the end of @INC if complex modules are loaded Not merged: 658947e Remove test for '.' in @INC as it might not be — not yet present 1d17a59 releasing package perl version 5.14.2-21+deb7u4 a9f5a7e Add changelog for CVE-2016-1238 changes conv 10multiarch.patch 0001-multiarch.patch 0001-multiarch.quilt conv 11multiarch.patch 0002-multiarch.quilt conv 12gcc45.patch 0003-gcc45.quilt git format-patch -o ~/src/patches/perl/3.3-0-0-ucs/5.10.1-17squeeze6-errata3.3-0 --start-number=4 --no-numbered --signoff --suffix '.quilt' origin/squeeze.. mv 0013-Enable-.-to-be-removed-from-INC-in-etc-perl-sitecust.quilt 0013-Enable-.-to-be-removed-from-INC-in-etc-perl-sitecust.patch Package: perl Version: 5.10.1-17.85.201611301352 Version: 5.10.1-17.86.201611301406 Branch: ucs_3.3-0 Scope: errata3.3-0 r74846 | Bug #41951: perl UCS-3.3-0 YAML perl.yaml Moved bug and advisory to 3.3-1. Advisory: OK Tests: OK |