Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 362025 (CVE-2011-1487) - >=dev-lang/perl-5.10, <dev-lang/perl-5.12.3-r1: lc(), uc() routines are laundering tainted data (CVE-2011-1487)
Summary: >=dev-lang/perl-5.10, <dev-lang/perl-5.12.3-r1: lc(), uc() routines are laund...
Status: RESOLVED FIXED
Alias: CVE-2011-1487
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-04-05 08:02 UTC by Petr Pisar
Modified: 2013-11-28 08:33 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Pisar 2011-04-05 08:02:53 UTC
perlsec manual states:

> Laundering data using regular expression is the _only_ mechanism for
> untainting dirty data, [...]

However dev-lang/perl-5.12.2-r6 clears tainted flag even after lc() and
uc() perl functions:

$ perl -Te 'use Scalar::Util qw(tainted); printf("%d %d %d\n", tainted($0),
tainted(lc($0)), tainted(uc($0)));'
1 0 0

This has been recognized by upstream as a security regression and fixed in
forthcoming perl-5.14 (http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336).

All versions since 5.10 are affected.

CVE-2011-1487 has been assigned (http://www.openwall.com/lists/oss-security/2011/04/04/35).
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-04-05 15:19:36 UTC
(In reply to comment #0)
> 
> This has been recognized by upstream as a security regression and fixed in
> forthcoming perl-5.14
> (http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336).
> 

Thank you for the report, Petr.
Comment 2 Torsten Veller (RETIRED) gentoo-dev 2011-04-25 07:07:14 UTC
Fixed in dev-lang/perl-5.12.3-r1 which could be stabilized.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-04-26 02:45:00 UTC
(In reply to comment #2)
> Fixed in dev-lang/perl-5.12.3-r1 which could be stabilized.

Great, thank you.

Arches, please test and mark stable:
=dev-lang/perl-5.12.3-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-04-26 10:49:01 UTC
works here. amd64 ok
Comment 5 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-04-26 12:41:05 UTC
ppc/ppc64 stable
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-04-26 14:11:38 UTC
x86 stable
Comment 7 Christoph Mende (RETIRED) gentoo-dev 2011-04-26 19:58:58 UTC
amd64 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2011-04-27 17:02:19 UTC
Stable for HPPA.
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2011-05-02 13:20:38 UTC
Stable on alpha.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-05-07 16:40:51 UTC
arm/ia64/m68k/s390/sh/sparc stable
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-05-08 14:10:04 UTC
Thanks, folks. Added to existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:25:14 UTC
CVE-2011-1487 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1487):
  The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x,
  5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply
  the taint attribute to the return value upon processing tainted input, which
  might allow context-dependent attackers to bypass the taint protection
  mechanism via a crafted string.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-11-28 08:33:16 UTC
This issue was resolved and addressed in
 GLSA 201311-17 at http://security.gentoo.org/glsa/glsa-201311-17.xml
by GLSA coordinator Sergey Popov (pinkbyte).