Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 567482 (perl522stable)

Summary: dev-lang/perl-5.22.2 perl-core/* virtual/perl-* stabilization
Product: Gentoo Security Reporter: Andreas K. Hüttel <dilfridge>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ab4bd, alexander, craig, joost.ruis, josh, kentnl, paolo.pedroni, perl, strayer
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 565794, 566938, 571400, 584238, 589680    
Bug Blocks: 552260, 578370, 578642    

Description Andreas K. Hüttel archtester gentoo-dev 2015-12-03 16:55:57 UTC
Tracker that will at some point be turned into a stablerequest. 
No talking here please.
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2016-04-30 19:18:05 UTC
Provisionary stabilization list:

=dev-lang/perl-5.22.2
=virtual/perl-Archive-Tar-2.40.0
=virtual/perl-Attribute-Handlers-0.970.0
=virtual/perl-B-Debug-1.230.0
=virtual/perl-CPAN-2.110.0
=virtual/perl-CPAN-Meta-2.150.1
=virtual/perl-CPAN-Meta-Requirements-2.132.0
=virtual/perl-Carp-1.360.0
=virtual/perl-Compress-Raw-Bzip2-2.68.0
=virtual/perl-Compress-Raw-Zlib-2.68.0
=virtual/perl-DB_File-1.835.0
=virtual/perl-Data-Dumper-2.158.0
=virtual/perl-Devel-PPPort-3.310.0
=virtual/perl-Digest-MD5-2.540.0
=virtual/perl-Digest-SHA-5.950.0
=virtual/perl-Exporter-5.720.0
=virtual/perl-ExtUtils-CBuilder-0.280.221
=virtual/perl-ExtUtils-Command-1.200.0
=virtual/perl-ExtUtils-Install-2.40.0
=virtual/perl-ExtUtils-MakeMaker-7.40.100_rc
=virtual/perl-ExtUtils-Manifest-1.700.0-r1
=virtual/perl-ExtUtils-ParseXS-3.280.0
=virtual/perl-File-Spec-3.560.100
=virtual/perl-Filter-Simple-0.920.0
=virtual/perl-Getopt-Long-2.450.0
=virtual/perl-HTTP-Tiny-0.54.0
=virtual/perl-IO-1.350.0
=virtual/perl-IO-Compress-2.68.0
=virtual/perl-IO-Socket-IP-0.370.0
=virtual/perl-JSON-PP-2.273.0
=virtual/perl-Locale-Maketext-1.260.0
=virtual/perl-MIME-Base64-3.150.0
=virtual/perl-Math-BigInt-1.999.700
=virtual/perl-Math-BigRat-0.260.800
=virtual/perl-Module-CoreList-5.201.604.290
=virtual/perl-Module-Load-Conditional-0.640.0
=virtual/perl-Module-Metadata-1.0.26
=virtual/perl-Perl-OSType-1.8.0
=virtual/perl-Pod-Escapes-1.70.0
=virtual/perl-Pod-Parser-1.630.0
=virtual/perl-Pod-Simple-3.290.0
=virtual/perl-Safe-2.390.0
=virtual/perl-Scalar-List-Utils-1.410.0
=virtual/perl-Socket-2.18.0
=virtual/perl-Storable-2.530.100-r1
=virtual/perl-Term-ANSIColor-4.30.0
=virtual/perl-Term-ReadLine-1.150.0
=virtual/perl-Test-Harness-3.350.0
=virtual/perl-Test-Simple-1.1.14
=virtual/perl-Text-Balanced-2.30.0
=virtual/perl-Text-ParseWords-3.300.0
=virtual/perl-Time-Piece-1.290.0
=virtual/perl-Unicode-Collate-1.120.0
=virtual/perl-Unicode-Normalize-1.180.0
=virtual/perl-XSLoader-0.200.0
=virtual/perl-autodie-2.260.0
=virtual/perl-bignum-0.390.0
=virtual/perl-if-0.60.400
=virtual/perl-libnet-3.50.0
=virtual/perl-parent-0.232.0
=virtual/perl-threads-2.10.0
=virtual/perl-threads-shared-1.480.0
Comment 2 Paolo Pedroni 2016-05-02 08:59:15 UTC
In virtual/perl-Encode-2.730.0 ebuild there is a comment:

"# stabilize this together with dev-lang/perl-5.22*"

Shall we add it to the list?
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2016-05-08 13:04:20 UTC
(In reply to Paolo Pedroni from comment #2)
> In virtual/perl-Encode-2.730.0 ebuild there is a comment:
> 
> "# stabilize this together with dev-lang/perl-5.22*"
> 
> Shall we add it to the list?

Yes, thank you.
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2016-05-08 13:12:45 UTC
Arches please test and stabilize the whole list below simultaneously.
target: all stable arches

This fixes several CVEs (some not in Gentoo bugzilla yet), so please give it some priority.

If you have a clean deptree installed (e.g. no updates prevented by dependencies), and if you have recently run depclean, this should merge fine without any blockers, and also rebuild all your perl modules via the subslot change. If it does not, talk to me please.

=dev-lang/perl-5.22.2
=perl-core/Encode-2.730.0
=virtual/perl-Archive-Tar-2.40.0
=virtual/perl-Attribute-Handlers-0.970.0
=virtual/perl-B-Debug-1.230.0
=virtual/perl-CPAN-2.110.0
=virtual/perl-CPAN-Meta-2.150.1
=virtual/perl-CPAN-Meta-Requirements-2.132.0
=virtual/perl-Carp-1.360.0
=virtual/perl-Compress-Raw-Bzip2-2.68.0
=virtual/perl-Compress-Raw-Zlib-2.68.0
=virtual/perl-DB_File-1.835.0
=virtual/perl-Data-Dumper-2.158.0
=virtual/perl-Devel-PPPort-3.310.0
=virtual/perl-Digest-MD5-2.540.0
=virtual/perl-Digest-SHA-5.950.0
=virtual/perl-Encode-2.730.0
=virtual/perl-Exporter-5.720.0
=virtual/perl-ExtUtils-CBuilder-0.280.221
=virtual/perl-ExtUtils-Command-1.200.0
=virtual/perl-ExtUtils-Install-2.40.0
=virtual/perl-ExtUtils-MakeMaker-7.40.100_rc
=virtual/perl-ExtUtils-Manifest-1.700.0-r1
=virtual/perl-ExtUtils-ParseXS-3.280.0
=virtual/perl-File-Spec-3.560.100
=virtual/perl-Filter-Simple-0.920.0
=virtual/perl-Getopt-Long-2.450.0
=virtual/perl-HTTP-Tiny-0.54.0
=virtual/perl-IO-1.350.0
=virtual/perl-IO-Compress-2.68.0
=virtual/perl-IO-Socket-IP-0.370.0
=virtual/perl-JSON-PP-2.273.0
=virtual/perl-Locale-Maketext-1.260.0
=virtual/perl-MIME-Base64-3.150.0
=virtual/perl-Math-BigInt-1.999.700
=virtual/perl-Math-BigRat-0.260.800
=virtual/perl-Module-CoreList-5.201.604.290
=virtual/perl-Module-Load-Conditional-0.640.0
=virtual/perl-Module-Metadata-1.0.26
=virtual/perl-Perl-OSType-1.8.0
=virtual/perl-Pod-Escapes-1.70.0
=virtual/perl-Pod-Parser-1.630.0
=virtual/perl-Pod-Simple-3.290.0
=virtual/perl-Safe-2.390.0
=virtual/perl-Scalar-List-Utils-1.410.0
=virtual/perl-Socket-2.18.0
=virtual/perl-Storable-2.530.100-r1
=virtual/perl-Term-ANSIColor-4.30.0
=virtual/perl-Term-ReadLine-1.150.0
=virtual/perl-Test-Harness-3.350.0
=virtual/perl-Test-Simple-1.1.14
=virtual/perl-Text-Balanced-2.30.0
=virtual/perl-Text-ParseWords-3.300.0
=virtual/perl-Time-Piece-1.290.0
=virtual/perl-Unicode-Collate-1.120.0
=virtual/perl-Unicode-Normalize-1.180.0
=virtual/perl-XSLoader-0.200.0
=virtual/perl-autodie-2.260.0
=virtual/perl-bignum-0.390.0
=virtual/perl-if-0.60.400
=virtual/perl-libnet-3.50.0
=virtual/perl-parent-0.232.0
=virtual/perl-threads-2.10.0
=virtual/perl-threads-shared-1.480.0
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2016-05-14 22:23:59 UTC
Arches please hold for a moment.

The release of 5.24 came earlier than expected, and some of the virtuals will see revision bumps because of new providers. 

I'll CC you back as soon as the updated stabilization list for 5.22 is ready (likely within 1-2 days). No code changes, only virtual revision number changes.
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2016-05-14 23:38:20 UTC
Arches please test and stabilize the whole list below simultaneously.
Target: all stable arches

Updated stabilization list; changes are:
* one missing perl-core package and one missing virtual added
* several virtuals rev-bumped (because of additional provider Perl 5.24)

This fixes several CVEs (some not in Gentoo bugzilla yet), so please give it some priority.

If you have a clean deptree installed (e.g. no updates prevented by dependencies), and if you have recently run depclean, this should merge fine without any blockers, and also rebuild all your perl modules via the subslot change. If it does not, talk to me please.

=dev-lang/perl-5.22.2
=perl-core/Encode-2.730.0
=perl-core/Package-Constants-0.60.0
=virtual/perl-Archive-Tar-2.40.0-r1
=virtual/perl-Attribute-Handlers-0.970.0
=virtual/perl-B-Debug-1.230.0-r1
=virtual/perl-CPAN-2.110.0-r1
=virtual/perl-CPAN-Meta-2.150.1
=virtual/perl-CPAN-Meta-Requirements-2.132.0
=virtual/perl-Carp-1.360.0
=virtual/perl-Compress-Raw-Bzip2-2.68.0
=virtual/perl-Compress-Raw-Zlib-2.68.0
=virtual/perl-DB_File-1.835.0-r1
=virtual/perl-Data-Dumper-2.158.0
=virtual/perl-Devel-PPPort-3.310.0
=virtual/perl-Digest-MD5-2.540.0-r1
=virtual/perl-Digest-SHA-5.950.0-r1
=virtual/perl-Encode-2.730.0
=virtual/perl-Exporter-5.720.0-r1
=virtual/perl-ExtUtils-CBuilder-0.280.221
=virtual/perl-ExtUtils-Command-1.200.0
=virtual/perl-ExtUtils-Install-2.40.0-r1
=virtual/perl-ExtUtils-MakeMaker-7.40.100_rc
=virtual/perl-ExtUtils-Manifest-1.700.0-r2
=virtual/perl-ExtUtils-ParseXS-3.280.0
=virtual/perl-File-Spec-3.560.100
=virtual/perl-Filter-Simple-0.920.0-r1
=virtual/perl-Getopt-Long-2.450.0
=virtual/perl-HTTP-Tiny-0.54.0
=virtual/perl-IO-1.350.0
=virtual/perl-IO-Compress-2.68.0
=virtual/perl-IO-Socket-IP-0.370.0-r1
=virtual/perl-JSON-PP-2.273.0-r1
=virtual/perl-Locale-Maketext-1.260.0-r1
=virtual/perl-MIME-Base64-3.150.0-r1
=virtual/perl-Math-BigInt-1.999.700
=virtual/perl-Math-BigRat-0.260.800
=virtual/perl-Module-CoreList-5.201.604.290
=virtual/perl-Module-Load-Conditional-0.640.0-r1
=virtual/perl-Module-Metadata-1.0.26
=virtual/perl-Package-Constants-0.60.0
=virtual/perl-Perl-OSType-1.8.0
=virtual/perl-Pod-Escapes-1.70.0-r1
=virtual/perl-Pod-Parser-1.630.0-r1
=virtual/perl-Pod-Simple-3.290.0
=virtual/perl-Safe-2.390.0-r1
=virtual/perl-Scalar-List-Utils-1.410.0
=virtual/perl-Socket-2.18.0
=virtual/perl-Storable-2.530.100-r1
=virtual/perl-Term-ANSIColor-4.30.0
=virtual/perl-Term-ReadLine-1.150.0-r1
=virtual/perl-Test-Harness-3.350.0
=virtual/perl-Test-Simple-1.1.14-r1
=virtual/perl-Text-Balanced-2.30.0-r1
=virtual/perl-Text-ParseWords-3.300.0-r1
=virtual/perl-Time-Piece-1.290.0
=virtual/perl-Unicode-Collate-1.120.0
=virtual/perl-Unicode-Normalize-1.180.0
=virtual/perl-XSLoader-0.200.0
=virtual/perl-autodie-2.260.0
=virtual/perl-bignum-0.390.0
=virtual/perl-if-0.60.400
=virtual/perl-libnet-3.50.0
=virtual/perl-parent-0.232.0
=virtual/perl-threads-2.10.0
=virtual/perl-threads-shared-1.480.0
Comment 7 Markus Meier gentoo-dev 2016-05-19 19:11:45 UTC
arm stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2016-05-24 15:48:12 UTC
Stable on alpha.
Comment 9 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2016-07-16 18:14:32 UTC
Arches please test and stabilize the whole list below simultaneously.
Target: all stable arches

Updated stabilization list; changes are:
* virtual/perl-Test-Simple changed to newer virtual (_p522) that only resolves to dev-lang/perl
  instead of falling back to perl-core/Test-* ( Fix for bug #584238 )

If you have a clean deptree installed (e.g. no updates prevented by dependencies), and if you have recently run depclean, this should merge fine without any blockers, and also rebuild all your perl modules via the subslot change. If it does not, talk to me please.

=dev-lang/perl-5.22.2
=perl-core/Encode-2.730.0
=perl-core/Package-Constants-0.60.0
=virtual/perl-Archive-Tar-2.40.0-r1
=virtual/perl-Attribute-Handlers-0.970.0
=virtual/perl-B-Debug-1.230.0-r1
=virtual/perl-CPAN-2.110.0-r1
=virtual/perl-CPAN-Meta-2.150.1
=virtual/perl-CPAN-Meta-Requirements-2.132.0
=virtual/perl-Carp-1.360.0
=virtual/perl-Compress-Raw-Bzip2-2.68.0
=virtual/perl-Compress-Raw-Zlib-2.68.0
=virtual/perl-DB_File-1.835.0-r1
=virtual/perl-Data-Dumper-2.158.0
=virtual/perl-Devel-PPPort-3.310.0
=virtual/perl-Digest-MD5-2.540.0-r1
=virtual/perl-Digest-SHA-5.950.0-r1
=virtual/perl-Encode-2.730.0
=virtual/perl-Exporter-5.720.0-r1
=virtual/perl-ExtUtils-CBuilder-0.280.221
=virtual/perl-ExtUtils-Command-1.200.0
=virtual/perl-ExtUtils-Install-2.40.0-r1
=virtual/perl-ExtUtils-MakeMaker-7.40.100_rc
=virtual/perl-ExtUtils-Manifest-1.700.0-r2
=virtual/perl-ExtUtils-ParseXS-3.280.0
=virtual/perl-File-Spec-3.560.100
=virtual/perl-Filter-Simple-0.920.0-r1
=virtual/perl-Getopt-Long-2.450.0
=virtual/perl-HTTP-Tiny-0.54.0
=virtual/perl-IO-1.350.0
=virtual/perl-IO-Compress-2.68.0
=virtual/perl-IO-Socket-IP-0.370.0-r1
=virtual/perl-JSON-PP-2.273.0-r1
=virtual/perl-Locale-Maketext-1.260.0-r1
=virtual/perl-MIME-Base64-3.150.0-r1
=virtual/perl-Math-BigInt-1.999.700
=virtual/perl-Math-BigRat-0.260.800
=virtual/perl-Module-CoreList-5.201.604.290
=virtual/perl-Module-Load-Conditional-0.640.0-r1
=virtual/perl-Module-Metadata-1.0.26
=virtual/perl-Package-Constants-0.60.0
=virtual/perl-Perl-OSType-1.8.0
=virtual/perl-Pod-Escapes-1.70.0-r1
=virtual/perl-Pod-Parser-1.630.0-r1
=virtual/perl-Pod-Simple-3.290.0
=virtual/perl-Safe-2.390.0-r1
=virtual/perl-Scalar-List-Utils-1.410.0
=virtual/perl-Socket-2.18.0
=virtual/perl-Storable-2.530.100-r1
=virtual/perl-Term-ANSIColor-4.30.0
=virtual/perl-Term-ReadLine-1.150.0-r1
=virtual/perl-Test-Harness-3.350.0
=virtual/perl-Test-Simple-1.1.14_p522
=virtual/perl-Text-Balanced-2.30.0-r1
=virtual/perl-Text-ParseWords-3.300.0-r1
=virtual/perl-Time-Piece-1.290.0
=virtual/perl-Unicode-Collate-1.120.0
=virtual/perl-Unicode-Normalize-1.180.0
=virtual/perl-XSLoader-0.200.0
=virtual/perl-autodie-2.260.0
=virtual/perl-bignum-0.390.0
=virtual/perl-if-0.60.400
=virtual/perl-libnet-3.50.0
=virtual/perl-parent-0.232.0
=virtual/perl-threads-2.10.0
=virtual/perl-threads-shared-1.480.0
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-31 23:52:57 UTC
!!! All ebuilds that could satisfy "~perl-core/Test-Simple-1.1.14" have been masked.
!!! One of the following masked packages is required to complete your request:
- perl-core/Test-Simple-1.1.14-r1::gentoo (masked by: package.mask)

(dependency required by "virtual/perl-Test-Simple-1.1.14-r2::gentoo" [ebuild])
(dependency required by "dev-perl/Test-Tester-0.114.0::gentoo" [installed])
(dependency required by "dev-perl/Test-NoWarnings-1.40.0-r2::gentoo" [installed])
(dependency required by "dev-perl/Net-SSLeay-1.720.0-r1::gentoo[test,-minimal]" [installed])
(dependency required by "dev-perl/IO-Socket-SSL-2.24.0::gentoo" [installed])
(dependency required by "dev-perl/Net-HTTP-6.90.0::gentoo[-minimal]" [installed])
(dependency required by "dev-perl/libwww-perl-6.150.0::gentoo" [installed])
(dependency required by "x11-misc/xscreensaver-5.35::gentoo[perl]" [installed])
(dependency required by "@selected" [set])
(dependency required by "@world" [argument])
For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.

Is this an oversight or am I doing it wrong?
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2016-08-02 06:26:16 UTC
It really does look like dev-perl/Test-Tester needs to be bumped.
Comment 12 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2016-08-02 10:44:16 UTC
> Depends on: 584238

Stabilization can't wait on this bug, because that bug needs stabilization to happen to finish the changes it needs. ( Because it needs perl to be stable in order to provide Test::Tester via perl instead of via perl-core/ )
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2016-08-17 02:25:49 UTC
This is a security bug.
Comment 14 Andreas K. Hüttel archtester gentoo-dev 2016-08-18 16:37:10 UTC
(In reply to Jeroen Roovers from comment #13)
> This is a security bug.

Hah, someone realized! Cool! :)

However, no need for hastyness right now. (Ho hum.) 

Perl 5.22.3 will come out really soon (in 2-3 weeks? it is at RC3 now), will fix a new set of more serious CVEs, and its stable request will supercede this bug here.
Comment 15 Agostino Sarubbo gentoo-dev 2016-09-14 07:28:30 UTC
amd64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2016-09-29 09:06:39 UTC
x86 stable
Comment 17 Agostino Sarubbo gentoo-dev 2016-09-29 09:22:37 UTC
sparc stable
Comment 18 Agostino Sarubbo gentoo-dev 2016-09-29 10:34:51 UTC
ppc64 stable
Comment 19 Agostino Sarubbo gentoo-dev 2016-09-29 11:01:30 UTC
ppc stable
Comment 20 Agostino Sarubbo gentoo-dev 2016-09-29 13:47:01 UTC
ia64 stable
Comment 21 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 21:01:57 UTC
@ HPPA AT: *ping* - You are the last one...
Comment 22 Andreas K. Hüttel archtester gentoo-dev 2016-12-08 15:48:48 UTC
(In reply to Thomas Deutschmann from comment #21)
> @ HPPA AT: *ping* - You are the last one...

Please continue in bug 589680, where a newer version is stabilized.
Comment 23 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-22 00:55:34 UTC
I found the following CVEs between perl-5.20.2 and perl-5.22.2:

CVE-2015-8607

The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.


CVE-2015-8608 (doesn't apply, Windows only)

VDir::MapPathA/W Out-of-bounds Reads and Buffer Over-reads


CVE-2016-2381

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.


CVE-2014-4330 (already handled in bug 523624)

The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function.
Comment 24 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-22 01:00:27 UTC
Added to an existing GLSA request.
Comment 25 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-22 01:09:46 UTC
Removing CVE-2016-2381, not fixed in this version.
Comment 26 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-22 01:35:33 UTC
Looks like I was checking the wrong changelogs, CVE-2015-8607 isn't fixed in <=5.22.2.

Bug removed from GLSA request because currently no vulnerability is assigned to this bug.


(In reply to Andreas K. Hüttel from comment #14)
> (In reply to Jeroen Roovers from comment #13)
> > This is a security bug.
> 
> Hah, someone realized! Cool! :)
> 
> However, no need for hastyness right now. (Ho hum.) 
> 
> Perl 5.22.3 will come out really soon (in 2-3 weeks? it is at RC3 now), will
> fix a new set of more serious CVEs, and its stable request will supercede
> this bug here.

Please help. We currently only have CVE-2015-8853 (but tracked in bug 580612) for <perl-5.22.2.
Comment 27 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2017-02-19 16:20:10 UTC
(In reply to Thomas Deutschmann from comment #26)
> Looks like I was checking the wrong changelogs, CVE-2015-8607 isn't fixed in
> <=5.22.2.
> 

2015-8607  re: File::Spec taint-preservation sec is fixed a long time ago. It was fixed in 796b9b6266671fdab40a84d7a8bcbd43106b160b which is a child of 5.22.2

git tag --contains 796b9b6266671fdab40a84d7a8bcbd43106b160b
 gentoo-5.22.3-RC4-patches-2
 v5.22.2
 v5.22.2-RC1
 v5.22.3
 v5.22.3-RC1
 v5.22.3-RC2
 v5.22.3-RC3
 v5.22.3-RC4
 v5.22.3-RC5

So please close this bug whenever you're ready Sec team.

<=5.22.2 is gone \o/