Bug 589680 (CVE-2016-1238)

Comment 1 GLSAMaker/CVETool Bot 2016-11-21 09:30:50 UTC

CVE-2016-1238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1238):
  (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3)
  cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5)
  cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7)
  cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9)
  cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11)
  cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails,
  (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15)
  dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16)
  dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18)
  utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21)
  utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24)
  utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and
  5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the
  end of the includes directory array, which might allow local users to gain
  privileges via a Trojan horse module under the current working directory.

Comment 2 Andreas K. Hüttel 2016-12-08 15:42:55 UTC

For the record, statement from perl team (written by kent\n)
----------------------------------------------------------------

Perl 5.22.3 is getting to a stage of "ridiculous amounts of time
shipping a critical release" now and so we're planning on shipping one
of their release candidates with their fixes.

All the "Actually vulnerable modules" have been fixed and they're a done deal
and there's no drama around them.

There's only one place that's holding upstream back, and that's they think they
need to severely break base.pm's API in a bugfix release.

Due to the nature of this change, it does break a lot of things without
actually changing the overall landscape of the security surface, and it
seemed logical to me that the right thing to do security wise, is
bypass upstream and ship their RC now with base.pm reverted into an
"uncontentious" state.

This way we can get 5.22.3 with as many security fixes as possible, now,
instead of sitting here with no fixes for goodness knows how long, and we
don't have to trade off with "uh oh, lots of code breaks" happening with
our next stable candidate.

The worst thing about the nature of this change is the primary risk audiences
are audiences who have old code bases, especially not code-bases on CPAN,
where base.pm could no longer see libraries that were designed to be loaded
via './' implicit behaviour ( such as maybe some infra scripts ). 

Upstream don't even have a transition strategy in place, YOUR STUFF WILL
JUST START BREAKING!

The fear is I've/we've missed some important consideration, and I need the
oversight of you dear people, but we don't want a possible PR disaster with
"(LWN: Gentoo deliberatly ships vulnerable Perl)" or similar problems. 

[ I can see this email on wikileaks already with somebody on 4chan finding 
a smoking gun ]

Upstreams changes to base.pm will eventually surface, and so far I think its
sensible to slate that in 5.24.1+ instead, so that this API breakage will get
adequate testing before we deem it "stable".

Worst Case Scenario: We can still ship perl-5.22.3 with base.pm patched
as upstream have later, at the price of breaking potentially everything. But
I'd rather not.

Comment 3 Andreas K. Hüttel 2016-12-08 15:44:53 UTC

Arches please stabilize the following dev-lang/perl and virtuals:

# All arches needed action
dev-lang/perl-5.22.3_rc4                                             all
virtual/perl-Archive-Tar-2.40.100_rc-r1                              all
virtual/perl-bignum-0.390.100_rc                                     all
virtual/perl-CPAN-2.110.100_rc-r1                                    all
virtual/perl-Digest-1.170.100_rc-r1                                  all
virtual/perl-Digest-SHA-5.950.100_rc-r1                              all
virtual/perl-ExtUtils-Command-1.200.100_rc                           all
virtual/perl-ExtUtils-MakeMaker-7.40.200_rc                          all
virtual/perl-File-Spec-3.560.200_rc                                  all
virtual/perl-HTTP-Tiny-0.54.10_rc                                    all
virtual/perl-IO-Compress-2.68.1_rc                                   all
virtual/perl-IO-1.350.100_rc                                         all
virtual/perl-IPC-Cmd-0.920.100_rc-r1                                 all
virtual/perl-JSON-PP-2.273.0.100_rc-r1                               all
virtual/perl-libnet-3.50.100_rc                                      all
virtual/perl-Locale-Maketext-1.260.100_rc-r1                         all
virtual/perl-Locale-Maketext-Simple-0.210.100_rc-r1                  all
virtual/perl-Memoize-1.30.100_rc-r1                                  all
virtual/perl-Module-CoreList-5.201.610.192.200_rc                    all
virtual/perl-Net-Ping-2.430.100_rc-r1                                all
virtual/perl-Parse-CPAN-Meta-1.441.400.100_rc                        all
virtual/perl-Storable-2.530.200_rc                                   all
virtual/perl-Sys-Syslog-0.330.100_rc-r1                              all
virtual/perl-Test-Harness-3.350.100_rc                               all
virtual/perl-Test-1.260.100_rc                                       all
virtual/perl-XSLoader-0.200.100_rc                                   all

# Arches that are lagging due to keyword history
virtual/perl-AutoLoader-5.740.0-r3                              arm hppa
virtual/perl-ExtUtils-Constant-0.230.0-r9                            arm
virtual/perl-Module-Loaded-0.80.0-r7                                 arm
virtual/perl-Safe-2.390.0-r2                                         arm
virtual/perl-Thread-Queue-3.50.0-r2                                  arm
virtual/perl-Thread-Semaphore-2.120.0-r7                             arm
virtual/perl-Tie-RefHash-1.390.0-r6                                  arm
virtual/perl-Time-Piece-1.290.0-r1                              arm hppa
virtual/perl-threads-2.10.0-r1                                  arm hppa
virtual/perl-threads-shared-1.480.0-r1                          arm hppa

# HPPA Lagging
perl-core/Encode-2.730.0                                            hppa
virtual/perl-Attribute-Handlers-0.970.0-r1                          hppa
virtual/perl-autodie-2.260.0-r1                                     hppa
virtual/perl-B-Debug-1.230.0-r2                                     hppa
virtual/perl-Carp-1.360.0-r1                                        hppa
virtual/perl-Compress-Raw-Bzip2-2.68.0-r1                           hppa
virtual/perl-Compress-Raw-Zlib-2.68.0-r1                            hppa
virtual/perl-CPAN-Meta-2.150.1-r1                                   hppa
virtual/perl-CPAN-Meta-Requirements-2.132.0-r1                      hppa
virtual/perl-Data-Dumper-2.158.0-r1                                 hppa
virtual/perl-DB_File-1.835.0-r2                                     hppa
virtual/perl-Devel-PPPort-3.310.0-r1                                hppa
virtual/perl-Digest-MD5-2.540.0-r2                                  hppa
virtual/perl-Encode-2.730.0-r1                                      hppa
virtual/perl-Exporter-5.720.0-r2                                    hppa
virtual/perl-ExtUtils-CBuilder-0.280.221-r1                         hppa
virtual/perl-ExtUtils-Install-2.40.0-r2                             hppa
virtual/perl-ExtUtils-Manifest-1.700.0-r3                           hppa
virtual/perl-ExtUtils-ParseXS-3.280.0-r1                            hppa
virtual/perl-Filter-Simple-0.920.0-r2                               hppa
virtual/perl-Getopt-Long-2.450.0-r1                                 hppa
virtual/perl-IO-Socket-IP-0.370.0-r2                                hppa
virtual/perl-if-0.60.400-r1                                         hppa
virtual/perl-Math-BigInt-1.999.700-r1                               hppa
virtual/perl-Math-BigRat-0.260.800-r1                               hppa
virtual/perl-MIME-Base64-3.150.0-r2                                 hppa
virtual/perl-Module-Load-Conditional-0.640.0-r2                     hppa
virtual/perl-parent-0.232.0-r1                                      hppa
virtual/perl-Package-Constants-0.60.0-r1                            hppa
virtual/perl-Perl-OSType-1.8.0-r1                                   hppa
virtual/perl-Pod-Escapes-1.70.0-r2                                  hppa
virtual/perl-podlators-2.5.3-r2                                     hppa
virtual/perl-Pod-Parser-1.630.0-r2                                  hppa
virtual/perl-Pod-Simple-3.290.0-r1                                  hppa
virtual/perl-Scalar-List-Utils-1.410.0-r1                           hppa
virtual/perl-Socket-2.18.0-r1                                       hppa
virtual/perl-Term-ANSIColor-4.30.0-r1                               hppa
virtual/perl-Term-ReadLine-1.150.0-r2                               hppa
virtual/perl-Test-Simple-1.1.14_p522-r1                             hppa
virtual/perl-Text-Balanced-2.30.0-r2                                hppa
virtual/perl-Text-ParseWords-3.300.0-r2                             hppa
virtual/perl-Unicode-Collate-1.120.0-r1                             hppa
virtual/perl-Unicode-Normalize-1.180.0-r1                           hppa

Comment 4 Tobias Klausmann (RETIRED) 2016-12-12 13:35:11 UTC

Stable on alpha.

Comment 5 Markus Meier 2016-12-17 07:05:02 UTC

arm stable

Comment 6 Aaron Bauman (RETIRED) 2016-12-17 08:33:00 UTC

amd64 stable

Comment 7 Thomas Deutschmann (RETIRED) 2016-12-23 00:23:21 UTC

x86 stable

Comment 8 Andreas K. Hüttel 2017-01-05 10:23:38 UTC

hppa, ia64, ppc, ppc64, sparc: ping pretty please!

Comment 9 Andreas K. Hüttel 2017-01-05 10:30:30 UTC

Created attachment 458804 [details]
stabilization list

Add attached stabilization list (identical to the one above)

Comment 10 Stabilization helper bot 2017-01-07 14:27:54 UTC

An automated check of this bug failed - the following atom is unknown:

#

Please verify the atom list.

Comment 11 Stabilization helper bot 2017-01-07 14:42:28 UTC

An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad virtual/perl-Package-Constants/perl-Package-Constants-0.60.0-r1.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['~perl-core/Package-Constants-0.60.0']

Comment 12 Kent Fredric (IRC: kent\n) (RETIRED) 2017-01-07 23:44:26 UTC

Created attachment 459118 [details]
stabilization list

Updated stabilization list:

- Reduced to show only work remaining to be done
- Added missing perl-core/ nodes required to sustain lagging hppa

Comment 13 Agostino Sarubbo 2017-01-15 15:55:43 UTC

ppc stable

Comment 14 Agostino Sarubbo 2017-01-17 14:32:15 UTC

ia64 stable

Comment 15 Agostino Sarubbo 2017-01-18 09:51:17 UTC

sparc stable

Comment 16 Agostino Sarubbo 2017-01-18 10:04:50 UTC

ppc64 stable

Comment 17 Andreas K. Hüttel 2017-01-18 11:23:50 UTC

hppa: ping pretty please

Comment 18 Jeroen Roovers (RETIRED) 2017-01-21 14:04:08 UTC

Stable for HPPA.

Comment 19 Andreas K. Hüttel 2017-01-21 18:47:37 UTC

@ security: please go ahead with GLSAs as applicable, here and also in related bugs

Since masking the old versions confuses the portage dependency resolver, I'd rather not do that. 

Cleanup in a bit, when everyone has for sure updated (absent old ebuilds also confuse portage, yay).

Comment 20 Thomas Deutschmann (RETIRED) 2017-01-21 22:10:49 UTC

New GLSA request filed.

Comment 21 GLSAMaker/CVETool Bot 2017-01-29 23:45:46 UTC

This issue was resolved and addressed in
 GLSA 201701-75 at https://security.gentoo.org/glsa/201701-75
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 22 Thomas Deutschmann (RETIRED) 2017-01-29 23:48:17 UTC

Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <dev-lang/perl-5.22.3_rc4 or apply masks indicating a security problem!

Comment 23 Kent Fredric (IRC: kent\n) (RETIRED) 2017-02-19 15:43:34 UTC

Affected Perl versions cleaned up as of:

commit:  2777260fbdd69f8c09cb1477ec96501e93cf4731
author:  2017-01-24 20:05:47 +0000 Kent Fredric <kentnl@gentoo.org>
commit:  2017-02-19 15:22:28 +0000 Kent Fredric <kentnl@gentoo.org>
gpg-key: E854324B1366A820

    dev-lang/perl, virtual/perl-*: Cleanup 5.20* and eblits re bug #589680 and bug #586418

    Bug: https://bugs.gentoo.org/586418
    Bug: https://bugs.gentoo.org/589680

Comment 24 Aaron Bauman (RETIRED) 2017-02-22 11:03:25 UTC

tree is clean.

Comment 25 Andreas K. Hüttel 2017-02-22 19:36:09 UTC

perl out