Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 606752 (CVE-2015-8607)

Summary: <dev-lang/perl-5.22.2: PathTools: Taint propagation flaw in canonpath()
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: kentnl, perl
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve cleanup]
Package list:
Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-22 01:40:00 UTC
The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.


Upstream bug:

https://rt.perl.org/Public/Bug/Display.html?id=126862


Upstream patch:

http://perl5.git.perl.org/perl.git/commit/130509aa42a87eef258fab0182ee2c7ad16baa8b


$ git tag --contains 130509aa42a87eef258fab0182ee2c7ad16baa8b | sort -u
v5.23.7
v5.23.8
v5.23.9
v5.24.0
[...]


@ Maintainer(s): Can we backport the fix or stabilize 5.24.0 already (yes, I know that we finished stabilization of perl-5.22.3 a few hours ago but I have to ask this)?
Comment 1 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2017-01-22 02:46:57 UTC
Linked upstream patch doesn't do anything but tweak version numbers.

I think we need that effective new-version, but this patch:

https://perl5.git.perl.org/perl.git/commitdiff_plain/ae37b791a73a9e78dedb89fb2429d2628cf58076

If there are any other patches I should be including and I missed anything, please clarify.
Comment 2 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2017-01-22 03:00:22 UTC
Looks like this is already fixed in 5.22.3 via commit: 

commit 796b9b6266671fdab40a84d7a8bcbd43106b160b
Author: Tony Cook <tony@develop-help.com>
Date:   Tue Dec 15 10:56:54 2015 +1100

    ensure File::Spec::canonpath() preserves taint
    
    Previously the unix specific XS implementation of canonpath() would
    return an untainted path when supplied a tainted path.
    
    For the empty string case, newSVpvs() already sets taint as needed on
    its result.
    
    This issue was assigned CVE-2015-8607.  [perl #126862]


git tag --contains 796b9b6266671fdab40a84d7a8bcbd43106b160b

v5.22.2
v5.22.2-RC1
v5.22.3
v5.22.3-RC1
v5.22.3-RC2
v5.22.3-RC3
v5.22.3-RC4
v5.22.3-RC5
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-29 23:28:21 UTC
Added to existing GLSA request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-29 23:46:09 UTC
This issue was resolved and addressed in
 GLSA 201701-75 at https://security.gentoo.org/glsa/201701-75
by GLSA coordinator Thomas Deutschmann (whissi).