Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 865631 (CVE-2022-44542) - <app-text/lesspipe-2.06: Perl storable (pst) files security fix
Summary: <app-text/lesspipe-2.06: Perl storable (pst) files security fix
Status: IN_PROGRESS
Alias: CVE-2022-44542
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on: 872749
Blocks:
  Show dependency tree
 
Reported: 2022-08-18 02:58 UTC by Sam James
Modified: 2022-11-10 16:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 02:58:04 UTC
From https://github.com/wofr06/lesspipe/releases/tag/v2.06:
"The support for perl storable (pst) files was removed for security reasons."

And see https://github.com/wofr06/lesspipe/commit/a5610c106f38570040de4d76c0ed1c6af74e9a7c.

No details though.
Comment 1 Larry the Git Cow gentoo-dev 2022-08-18 03:10:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb2641741479ad64a0959c6eb3b80c4b6106e056

commit bb2641741479ad64a0959c6eb3b80c4b6106e056
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-08-18 02:58:18 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-18 03:09:57 +0000

    app-text/lesspipe: add 2.06
    
    Bug: https://bugs.gentoo.org/865631
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/lesspipe/Manifest             |  1 +
 app-text/lesspipe/lesspipe-2.06.ebuild | 52 ++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-25 13:26:05 UTC
Please cleanup
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-23 14:51:14 UTC
Upstream pointed me to some references that they were given in the original vulnerability report:

   "In lesspipe 2.02, you added support for Perl Storable files using
   `perl -MStorable=retrieve`. By design, this function is not secure
   against untrusted input, and can be exploited for arbitrary code
   execution:

   https://perldoc.perl.org/Storable#SECURITY-WARNING
   https://www.masteringperl.org/2012/12/the-storable-security-problem/
   https://twitter.com/dozernz/status/1167226128559263744"

And from the perl.org link,

"Finally, the deserialized object's destructors will be invoked when the objects get destroyed in the deserializing process. Maliciously crafted Storable documents may put such objects in the value of a hash key that is overridden by another key/value pair in the same hash, thus causing immediate destructor execution."

So this seems like a code execution vulneraiblity. Upstream opted not to make an advisory due to the significant amount of user cooperation required to open a crafted PST.
Comment 4 Larry the Git Cow gentoo-dev 2022-10-28 19:53:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=38bdda86e54a0645a606392dae2ed41c68127c4e

commit 38bdda86e54a0645a606392dae2ed41c68127c4e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-10-28 19:42:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-10-28 19:49:58 +0000

    app-text/lesspipe: drop 2.05-r1
    
    Bug: https://bugs.gentoo.org/865631
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/lesspipe/Manifest                |  1 -
 app-text/lesspipe/lesspipe-2.05-r1.ebuild | 47 -------------------------------
 2 files changed, 48 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 15:35:23 UTC
GLSA request filed. Need to request CVE.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 15:37:38 UTC
(In reply to John Helmert III from comment #5)
> GLSA request filed. Need to request CVE.

Requested.
Comment 7 Larry the Git Cow gentoo-dev 2022-11-10 16:36:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d2caa7d73160aa5b9c9cda07665068a8b25fa730

commit d2caa7d73160aa5b9c9cda07665068a8b25fa730
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-11-10 16:33:11 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-10 16:36:02 +0000

    [ GLSA 202211-02 ] lesspipe: Arbitrary Code Exeecution
    
    Bug: https://bugs.gentoo.org/865631
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202211-02.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)