The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string. Upstream bug: https://rt.perl.org/Public/Bug/Display.html?id=126862 Upstream patch: http://perl5.git.perl.org/perl.git/commit/130509aa42a87eef258fab0182ee2c7ad16baa8b $ git tag --contains 130509aa42a87eef258fab0182ee2c7ad16baa8b | sort -u v5.23.7 v5.23.8 v5.23.9 v5.24.0 [...] @ Maintainer(s): Can we backport the fix or stabilize 5.24.0 already (yes, I know that we finished stabilization of perl-5.22.3 a few hours ago but I have to ask this)?
Linked upstream patch doesn't do anything but tweak version numbers. I think we need that effective new-version, but this patch: https://perl5.git.perl.org/perl.git/commitdiff_plain/ae37b791a73a9e78dedb89fb2429d2628cf58076 If there are any other patches I should be including and I missed anything, please clarify.
Looks like this is already fixed in 5.22.3 via commit: commit 796b9b6266671fdab40a84d7a8bcbd43106b160b Author: Tony Cook <tony@develop-help.com> Date: Tue Dec 15 10:56:54 2015 +1100 ensure File::Spec::canonpath() preserves taint Previously the unix specific XS implementation of canonpath() would return an untainted path when supplied a tainted path. For the empty string case, newSVpvs() already sets taint as needed on its result. This issue was assigned CVE-2015-8607. [perl #126862] git tag --contains 796b9b6266671fdab40a84d7a8bcbd43106b160b v5.22.2 v5.22.2-RC1 v5.22.3 v5.22.3-RC1 v5.22.3-RC2 v5.22.3-RC3 v5.22.3-RC4 v5.22.3-RC5
Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201701-75 at https://security.gentoo.org/glsa/201701-75 by GLSA coordinator Thomas Deutschmann (whissi).