Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 606750 (CVE-2016-2381) - <dev-lang/perl-5.22.2: ambiguous environment variables handling
Summary: <dev-lang/perl-5.22.2: ambiguous environment variables handling
Status: RESOLVED FIXED
Alias: CVE-2016-2381
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-22 01:14 UTC by Thomas Deutschmann
Modified: 2017-01-29 23:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev 2017-01-22 01:14:46 UTC
Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

Long description:

Stephane Chazelas discovered a bug in the environment handling in Perl. Perl provides a Perl-space hash variable, %ENV, in which environment variables can be looked up. If a variable appears twice in envp, only the last value would appear in %ENV, but getenv would return the first. Perl's taint security mechanism would be applied to the value in %ENV, but not to the other rest of the environment. This could result in an ambiguous environment causing environment variables to be propagated to subprocesses, despite the protections supposedly offered by taint checking.

Upstream bug:

foo

Upstream patch:

http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076
Comment 1 Thomas Deutschmann gentoo-dev 2017-01-22 01:19:49 UTC
$ git tag --contains ae37b791a73a9e78dedb89fb2429d2628cf58076 | sort -u
v5.23.9
v5.24.0
[...]


@ Maintainer(s): Can we backport the fix or stabilize 5.24.0 already (yes, I know that we finished stabilization of perl-5.22.3 a few hours ago but I have to ask this)?
Comment 2 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2017-01-22 03:10:36 UTC
Looks like this was fixed in 5.22.2, but with a different commit-id


https://perl5.git.perl.org/perl.git/commitdiff/58eaa1131a38c16ee4a66d0bc36288cfde1a39bf

git tag --contains 58eaa1131a38c16ee4a66d0bc36288cfde1a39bf

v5.22.2
v5.22.2-RC1
v5.22.3
v5.22.3-RC1
v5.22.3-RC2
v5.22.3-RC3
v5.22.3-RC4
v5.22.3-RC5
Comment 3 Agostino Sarubbo gentoo-dev 2017-01-22 14:26:00 UTC
(In reply to Thomas Deutschmann from comment #0)
> Upstream bug:
> 
> foo

?
Comment 4 Thomas Deutschmann gentoo-dev 2017-01-29 23:27:10 UTC
(In reply to Agostino Sarubbo from comment #3)
> (In reply to Thomas Deutschmann from comment #0)
> > Upstream bug:
> > 
> > foo

https://rt.perl.org/Public/Bug/Display.html?id=127158


Added to existing GLSA.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-01-29 23:46:01 UTC
This issue was resolved and addressed in
 GLSA 201701-75 at https://security.gentoo.org/glsa/201701-75
by GLSA coordinator Thomas Deutschmann (whissi).