The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.
$ git tag --contains 130509aa42a87eef258fab0182ee2c7ad16baa8b | sort -u
@ Maintainer(s): Can we backport the fix or stabilize 5.24.0 already (yes, I know that we finished stabilization of perl-5.22.3 a few hours ago but I have to ask this)?
Linked upstream patch doesn't do anything but tweak version numbers.
I think we need that effective new-version, but this patch:
If there are any other patches I should be including and I missed anything, please clarify.
Looks like this is already fixed in 5.22.3 via commit:
Author: Tony Cook <firstname.lastname@example.org>
Date: Tue Dec 15 10:56:54 2015 +1100
ensure File::Spec::canonpath() preserves taint
Previously the unix specific XS implementation of canonpath() would
return an untainted path when supplied a tainted path.
For the empty string case, newSVpvs() already sets taint as needed on
This issue was assigned CVE-2015-8607. [perl #126862]
git tag --contains 796b9b6266671fdab40a84d7a8bcbd43106b160b
Added to existing GLSA request.
This issue was resolved and addressed in
GLSA 201701-75 at https://security.gentoo.org/glsa/201701-75
by GLSA coordinator Thomas Deutschmann (whissi).