Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 606752 (CVE-2015-8607)

Summary: <dev-lang/perl-5.22.2: PathTools: Taint propagation flaw in canonpath()
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: kentnl, perl
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve cleanup]
Package list:
Runtime testing required: ---

Description Thomas Deutschmann gentoo-dev 2017-01-22 01:40:00 UTC
The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

Upstream bug:

Upstream patch:

$ git tag --contains 130509aa42a87eef258fab0182ee2c7ad16baa8b | sort -u

@ Maintainer(s): Can we backport the fix or stabilize 5.24.0 already (yes, I know that we finished stabilization of perl-5.22.3 a few hours ago but I have to ask this)?
Comment 1 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2017-01-22 02:46:57 UTC
Linked upstream patch doesn't do anything but tweak version numbers.

I think we need that effective new-version, but this patch:

If there are any other patches I should be including and I missed anything, please clarify.
Comment 2 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2017-01-22 03:00:22 UTC
Looks like this is already fixed in 5.22.3 via commit: 

commit 796b9b6266671fdab40a84d7a8bcbd43106b160b
Author: Tony Cook <>
Date:   Tue Dec 15 10:56:54 2015 +1100

    ensure File::Spec::canonpath() preserves taint
    Previously the unix specific XS implementation of canonpath() would
    return an untainted path when supplied a tainted path.
    For the empty string case, newSVpvs() already sets taint as needed on
    its result.
    This issue was assigned CVE-2015-8607.  [perl #126862]

git tag --contains 796b9b6266671fdab40a84d7a8bcbd43106b160b

Comment 3 Thomas Deutschmann gentoo-dev 2017-01-29 23:28:21 UTC
Added to existing GLSA request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-29 23:46:09 UTC
This issue was resolved and addressed in
 GLSA 201701-75 at
by GLSA coordinator Thomas Deutschmann (whissi).