From ${URL} : An arbitrary code execution can be achieved if loading code from untrusted current working directory despite the '.' is removed from @INC. Vulnerability is in XSLoader that uses caller() information to locate .so file to load. If malicious attacker creates directory named `(eval 1)` with malicious binary file in it, it will be loaded if the package calling XSLoader is in parent directory. CVE assignment: http://seclists.org/oss-sec/2016/q3/28 Upstream bug: https://rt.cpan.org/Public/Bug/Display.html?id=115808 Upstream patch: http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Perl 5.22.3-RC1 is coming out today with more security fixes; the proper release of Perl 5.22.3 will most likely also include this fix and follow soon. I suggest we wait for that and stabilize it then rather quickly. [Given that the also security-related 5.22.2 stabilization is still in limbo for ages...]
CVE-2016-6185 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6185): The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.
Stabilization of the fixed version is taking place in bug 589680
Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201701-75 at https://security.gentoo.org/glsa/201701-75 by GLSA coordinator Thomas Deutschmann (whissi).