Univention Bugzilla – Bug 41951
perl: Multiple issues (3.3)
Last modified: 2017-07-20 15:01:04 CEST
+++ This bug was initially created as a clone of Bug #37706 +++ Upstream Debian package version 5.14.2-21+deb7u3 fixes this issue: * ambiguous environment variables handling (CVE-2016-2381) Details: A bug has been found in the environment handling in Perl. Perl provides a Perl-space hash variable, %ENV, in which environment variables can be looked up. If a variable appears twice in envp, only the last value would appear in %ENV, but getenv would return the first. Perl's taint security mechanism would be applied to the value in %ENV, but not to the other rest of the environment. This could result in an ambiguous environment causing environment variables to be propagated to subprocesses, despite the protections supposedly offered by taint checking. With this update Perl changes the behavior to match the following: a) %ENV is populated with the first environment variable, as getenv would return. b) Duplicate environment entries are removed.
Upstream Debian package version 5.14.2-21+deb7u4 fixes these issues: * The following modules in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory: (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL. (CVE-2016-1238) * The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory. (CVE-2016-6185) CVE-2016-1238: CVSS v2 base score: 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C) CVE-2016-6185: CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
repo_admin.py --cherrypick -r 4.1 -s errata4.1-3 --releasedest 3.3 --dest errata3.3-0 -p perl Package: perl Version: 5.14.2-21~ucs3.3.83.201609281453 Branch: ucs_3.3-0 Scope: errata3.3-0 r72882 | Bug #41951: perl UCS-3.3-0 YAML perl.yaml
UCS-3.3 still uses perl-5.10, which is *not* ABI compatible with perl-5.14: It would require all perl modules to be re-built; see Bug #41199 The source and binaries have been removed. r72889 | Bug #29524 repo: Fix removing source revisions The YAML was removed. r72888 | Bug #41951: perl UCS-3.3-0 YAML
We need to fix the issues, at least the high risc ones, one way or the other. https://security-tracker.debian.org/tracker/CVE-2016-2381
This is also a "nice" example of the use of CVSS: CVE-2016-1238: CVSS v2 base score: 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P https://access.redhat.com/security/cve/cve-2016-2381 CVE-2016-1238: CVSS v2 base score: 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1238
<https://launchpad.net/ubuntu/precise/+source/perl>: perl 5.14.2-6ubuntu2.5 Red-Hat: 2381=wont-fix 1238=fixed 6185=fixed SUSE: <http://lists.suse.com/pipermail/sle-security-updates/2016-September/002256.html> $ git l1 --no-merges origin/wheezy..origin/wheezy-security CVE-2016-2381: Fixed e00a7a5 remove duplicate environment variables from environ CVE-2016-6185: Not vulnerable — problematic XSLoader.load() w/o arguments not yet implemented fbb165e Don’t let XSLoader load relative paths CVE-2016-1238: 25a3df3 Make Module::Build set PERL_USE_UNSAFE_INC 0dfa18f Enable "." to be removed from @INC in /etc/perl/sitecustomize.pl 5c16571 Look for sitecustomize.pl in /etc/perl rather than sitelib on Debian systems f4cd6dc Set PERL_USE_UNSAFE_INC for cpan usage 7044e18 Add PERL_USE_UNSAFE_INC support to EU::MM for fortify_inc support. 9bd33ab Patch unit tests to explicitly insert "." into @INC when needed. ac40b2f cpan/: remove . from @INC when loading optional modules 89d956d dist/: remove . from @INC when loading optional modules da2b683 perl5db.pl: ensure PadWalker is loaded from standard paths 6bdc805 (perl #127834) remove . from the end of @INC if complex modules are loaded Not merged: 658947e Remove test for '.' in @INC as it might not be — not yet present 1d17a59 releasing package perl version 5.14.2-21+deb7u4 a9f5a7e Add changelog for CVE-2016-1238 changes conv 10multiarch.patch 0001-multiarch.patch 0001-multiarch.quilt conv 11multiarch.patch 0002-multiarch.quilt conv 12gcc45.patch 0003-gcc45.quilt git format-patch -o ~/src/patches/perl/3.3-0-0-ucs/5.10.1-17squeeze6-errata3.3-0 --start-number=4 --no-numbered --signoff --suffix '.quilt' origin/squeeze.. mv 0013-Enable-.-to-be-removed-from-INC-in-etc-perl-sitecust.quilt 0013-Enable-.-to-be-removed-from-INC-in-etc-perl-sitecust.patch Package: perl Version: 5.10.1-17.85.201611301352 Version: 5.10.1-17.86.201611301406 Branch: ucs_3.3-0 Scope: errata3.3-0 r74846 | Bug #41951: perl UCS-3.3-0 YAML perl.yaml
Moved bug and advisory to 3.3-1.
Advisory: OK Tests: OK
<http://errata.software-univention.de/ucs/3.3/43.html>