Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 589680 (CVE-2016-1238) - <dev-lang/perl-{5.22.3_rc4,5.24.1_rc4}: unsafe module load path (CVE-2016-1238)
Summary: <dev-lang/perl-{5.22.3_rc4,5.24.1_rc4}: unsafe module load path (CVE-2016-1238)
Status: RESOLVED FIXED
Alias: CVE-2016-1238
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa cve]
Keywords:
Depends on: 606732 606914 609196
Blocks: perl522stable 578370 579866 CVE-2015-8853 586418 CVE-2016-6185
  Show dependency tree
 
Reported: 2016-07-25 15:08 UTC by Andreas K. Hüttel
Modified: 2018-07-27 22:19 UTC (History)
2 users (show)

See Also:
Package list:
=dev-lang/perl-5.22.3_rc4 hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-Archive-Tar-2.40.100_rc-r1 hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-bignum-0.390.100_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-CPAN-2.110.100_rc-r1 hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-Digest-1.170.100_rc-r1 hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-Digest-SHA-5.950.100_rc-r1 hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-ExtUtils-Command-1.200.100_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-ExtUtils-MakeMaker-7.40.200_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-File-Spec-3.560.200_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-HTTP-Tiny-0.54.10_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-IO-Compress-2.68.1_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-IO-1.350.100_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-IPC-Cmd-0.920.100_rc-r1 hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-JSON-PP-2.273.0.100_rc-r1 hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-libnet-3.50.100_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-Locale-Maketext-1.260.100_rc-r1 hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-Locale-Maketext-Simple-0.210.100_rc-r1 hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-Memoize-1.30.100_rc-r1 hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-Module-CoreList-5.201.610.192.200_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-Net-Ping-2.430.100_rc-r1 hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-Parse-CPAN-Meta-1.441.400.100_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-Storable-2.530.200_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-Sys-Syslog-0.330.100_rc-r1 hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-Test-Harness-3.350.100_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-Test-1.260.100_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-XSLoader-0.200.100_rc hppa arm64 ia64 ppc ppc64 sparc =virtual/perl-AutoLoader-5.740.0-r3 hppa arm64 =virtual/perl-Safe-2.390.0-r2 hppa arm64 =virtual/perl-Time-Piece-1.290.0-r1 hppa arm64 =virtual/perl-threads-2.10.0-r1 hppa arm64 =virtual/perl-threads-shared-1.480.0-r1 hppa arm64 =virtual/perl-Attribute-Handlers-0.970.0-r1 hppa arm64 =virtual/perl-autodie-2.260.0-r1 hppa arm64 =virtual/perl-B-Debug-1.230.0-r2 hppa arm64 =virtual/perl-Carp-1.360.0-r1 hppa arm64 =virtual/perl-Compress-Raw-Bzip2-2.68.0-r1 hppa arm64 =virtual/perl-Compress-Raw-Zlib-2.68.0-r1 hppa arm64 =virtual/perl-CPAN-Meta-2.150.1-r1 hppa arm64 =virtual/perl-CPAN-Meta-Requirements-2.132.0-r1 hppa arm64 =virtual/perl-Data-Dumper-2.158.0-r1 hppa arm64 =virtual/perl-DB_File-1.835.0-r2 hppa arm64 =virtual/perl-Devel-PPPort-3.310.0-r1 hppa arm64 =virtual/perl-Digest-MD5-2.540.0-r2 hppa arm64 =virtual/perl-Encode-2.730.0-r1 hppa arm64 =perl-core/Encode-2.730.0 hppa arm64 =virtual/perl-Exporter-5.720.0-r2 hppa arm64 =virtual/perl-ExtUtils-CBuilder-0.280.221-r1 hppa arm64 =virtual/perl-ExtUtils-Install-2.40.0-r2 hppa arm64 =virtual/perl-ExtUtils-Manifest-1.700.0-r3 hppa arm64 =virtual/perl-ExtUtils-ParseXS-3.280.0-r1 hppa arm64 =virtual/perl-Filter-Simple-0.920.0-r2 hppa arm64 =virtual/perl-Getopt-Long-2.450.0-r1 hppa arm64 =virtual/perl-IO-Socket-IP-0.370.0-r2 hppa arm64 =virtual/perl-if-0.60.400-r1 hppa arm64 =virtual/perl-Math-BigInt-1.999.700-r1 hppa arm64 =virtual/perl-Math-BigRat-0.260.800-r1 hppa arm64 =virtual/perl-MIME-Base64-3.150.0-r2 hppa arm64 =virtual/perl-Module-Load-Conditional-0.640.0-r2 hppa arm64 =virtual/perl-parent-0.232.0-r1 hppa arm64 =virtual/perl-Package-Constants-0.60.0-r1 hppa arm64 =perl-core/Package-Constants-0.60.0 hppa arm64 =virtual/perl-Perl-OSType-1.8.0-r1 hppa arm64 =virtual/perl-Pod-Escapes-1.70.0-r2 hppa arm64 =virtual/perl-Pod-Parser-1.630.0-r2 hppa arm64 =virtual/perl-Pod-Simple-3.290.0-r1 hppa arm64 =virtual/perl-Scalar-List-Utils-1.410.0-r1 hppa arm64 =virtual/perl-Socket-2.18.0-r1 hppa arm64 =virtual/perl-Term-ANSIColor-4.30.0-r1 hppa arm64 =virtual/perl-Term-ReadLine-1.150.0-r2 hppa arm64 =virtual/perl-Test-Simple-1.1.14_p522-r1 hppa arm64 =virtual/perl-Text-Balanced-2.30.0-r2 hppa arm64 =virtual/perl-Text-ParseWords-3.300.0-r2 hppa arm64 =virtual/perl-Unicode-Collate-1.120.0-r1 hppa arm64 =virtual/perl-Unicode-Normalize-1.180.0-r1 hppa arm64
Runtime testing required: Yes
stable-bot: sanity-check+


Attachments
stabilization list (cve-2016-1238-stablelist.txt,3.22 KB, text/plain)
2017-01-05 10:30 UTC, Andreas K. Hüttel
dilfridge: stabilization-list+
Details
stabilization list (todo,3.57 KB, text/plain)
2017-01-07 23:44 UTC, Kent Fredric (IRC: kent\n) (RETIRED)
kentnl: stabilization-list+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas K. Hüttel archtester gentoo-dev 2016-07-25 15:08:29 UTC
The tools and many modules supplied in core Perl search the
default current directory entry in @INC for optional modules.

This allows an attacker to inject an optional module into a process
run by another user where the current directory is writable by the
attacker, eg. the /tmp directory.

See also:
https://rt.perl.org/Public/Bug/Display.html?id=127834

To be fixed in 5.22.3 and 5.24.1, release is pending
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-11-21 09:30:50 UTC
CVE-2016-1238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1238):
  (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3)
  cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5)
  cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7)
  cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9)
  cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11)
  cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails,
  (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15)
  dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16)
  dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18)
  utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21)
  utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24)
  utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and
  5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the
  end of the includes directory array, which might allow local users to gain
  privileges via a Trojan horse module under the current working directory.
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2016-12-08 15:42:55 UTC
For the record, statement from perl team (written by kent\n)
----------------------------------------------------------------

Perl 5.22.3 is getting to a stage of "ridiculous amounts of time
shipping a critical release" now and so we're planning on shipping one
of their release candidates with their fixes.

All the "Actually vulnerable modules" have been fixed and they're a done deal
and there's no drama around them.

There's only one place that's holding upstream back, and that's they think they
need to severely break base.pm's API in a bugfix release.

Due to the nature of this change, it does break a lot of things without
actually changing the overall landscape of the security surface, and it
seemed logical to me that the right thing to do security wise, is
bypass upstream and ship their RC now with base.pm reverted into an
"uncontentious" state.

This way we can get 5.22.3 with as many security fixes as possible, now,
instead of sitting here with no fixes for goodness knows how long, and we
don't have to trade off with "uh oh, lots of code breaks" happening with
our next stable candidate.

The worst thing about the nature of this change is the primary risk audiences
are audiences who have old code bases, especially not code-bases on CPAN,
where base.pm could no longer see libraries that were designed to be loaded
via './' implicit behaviour ( such as maybe some infra scripts ). 

Upstream don't even have a transition strategy in place, YOUR STUFF WILL
JUST START BREAKING!

The fear is I've/we've missed some important consideration, and I need the
oversight of you dear people, but we don't want a possible PR disaster with
"(LWN: Gentoo deliberatly ships vulnerable Perl)" or similar problems. 

[ I can see this email on wikileaks already with somebody on 4chan finding 
a smoking gun ]

Upstreams changes to base.pm will eventually surface, and so far I think its
sensible to slate that in 5.24.1+ instead, so that this API breakage will get
adequate testing before we deem it "stable".

Worst Case Scenario: We can still ship perl-5.22.3 with base.pm patched
as upstream have later, at the price of breaking potentially everything. But
I'd rather not.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2016-12-08 15:44:53 UTC
Arches please stabilize the following dev-lang/perl and virtuals:

# All arches needed action
dev-lang/perl-5.22.3_rc4                                             all
virtual/perl-Archive-Tar-2.40.100_rc-r1                              all
virtual/perl-bignum-0.390.100_rc                                     all
virtual/perl-CPAN-2.110.100_rc-r1                                    all
virtual/perl-Digest-1.170.100_rc-r1                                  all
virtual/perl-Digest-SHA-5.950.100_rc-r1                              all
virtual/perl-ExtUtils-Command-1.200.100_rc                           all
virtual/perl-ExtUtils-MakeMaker-7.40.200_rc                          all
virtual/perl-File-Spec-3.560.200_rc                                  all
virtual/perl-HTTP-Tiny-0.54.10_rc                                    all
virtual/perl-IO-Compress-2.68.1_rc                                   all
virtual/perl-IO-1.350.100_rc                                         all
virtual/perl-IPC-Cmd-0.920.100_rc-r1                                 all
virtual/perl-JSON-PP-2.273.0.100_rc-r1                               all
virtual/perl-libnet-3.50.100_rc                                      all
virtual/perl-Locale-Maketext-1.260.100_rc-r1                         all
virtual/perl-Locale-Maketext-Simple-0.210.100_rc-r1                  all
virtual/perl-Memoize-1.30.100_rc-r1                                  all
virtual/perl-Module-CoreList-5.201.610.192.200_rc                    all
virtual/perl-Net-Ping-2.430.100_rc-r1                                all
virtual/perl-Parse-CPAN-Meta-1.441.400.100_rc                        all
virtual/perl-Storable-2.530.200_rc                                   all
virtual/perl-Sys-Syslog-0.330.100_rc-r1                              all
virtual/perl-Test-Harness-3.350.100_rc                               all
virtual/perl-Test-1.260.100_rc                                       all
virtual/perl-XSLoader-0.200.100_rc                                   all

# Arches that are lagging due to keyword history
virtual/perl-AutoLoader-5.740.0-r3                              arm hppa
virtual/perl-ExtUtils-Constant-0.230.0-r9                            arm
virtual/perl-Module-Loaded-0.80.0-r7                                 arm
virtual/perl-Safe-2.390.0-r2                                         arm
virtual/perl-Thread-Queue-3.50.0-r2                                  arm
virtual/perl-Thread-Semaphore-2.120.0-r7                             arm
virtual/perl-Tie-RefHash-1.390.0-r6                                  arm
virtual/perl-Time-Piece-1.290.0-r1                              arm hppa
virtual/perl-threads-2.10.0-r1                                  arm hppa
virtual/perl-threads-shared-1.480.0-r1                          arm hppa

# HPPA Lagging
perl-core/Encode-2.730.0                                            hppa
virtual/perl-Attribute-Handlers-0.970.0-r1                          hppa
virtual/perl-autodie-2.260.0-r1                                     hppa
virtual/perl-B-Debug-1.230.0-r2                                     hppa
virtual/perl-Carp-1.360.0-r1                                        hppa
virtual/perl-Compress-Raw-Bzip2-2.68.0-r1                           hppa
virtual/perl-Compress-Raw-Zlib-2.68.0-r1                            hppa
virtual/perl-CPAN-Meta-2.150.1-r1                                   hppa
virtual/perl-CPAN-Meta-Requirements-2.132.0-r1                      hppa
virtual/perl-Data-Dumper-2.158.0-r1                                 hppa
virtual/perl-DB_File-1.835.0-r2                                     hppa
virtual/perl-Devel-PPPort-3.310.0-r1                                hppa
virtual/perl-Digest-MD5-2.540.0-r2                                  hppa
virtual/perl-Encode-2.730.0-r1                                      hppa
virtual/perl-Exporter-5.720.0-r2                                    hppa
virtual/perl-ExtUtils-CBuilder-0.280.221-r1                         hppa
virtual/perl-ExtUtils-Install-2.40.0-r2                             hppa
virtual/perl-ExtUtils-Manifest-1.700.0-r3                           hppa
virtual/perl-ExtUtils-ParseXS-3.280.0-r1                            hppa
virtual/perl-Filter-Simple-0.920.0-r2                               hppa
virtual/perl-Getopt-Long-2.450.0-r1                                 hppa
virtual/perl-IO-Socket-IP-0.370.0-r2                                hppa
virtual/perl-if-0.60.400-r1                                         hppa
virtual/perl-Math-BigInt-1.999.700-r1                               hppa
virtual/perl-Math-BigRat-0.260.800-r1                               hppa
virtual/perl-MIME-Base64-3.150.0-r2                                 hppa
virtual/perl-Module-Load-Conditional-0.640.0-r2                     hppa
virtual/perl-parent-0.232.0-r1                                      hppa
virtual/perl-Package-Constants-0.60.0-r1                            hppa
virtual/perl-Perl-OSType-1.8.0-r1                                   hppa
virtual/perl-Pod-Escapes-1.70.0-r2                                  hppa
virtual/perl-podlators-2.5.3-r2                                     hppa
virtual/perl-Pod-Parser-1.630.0-r2                                  hppa
virtual/perl-Pod-Simple-3.290.0-r1                                  hppa
virtual/perl-Scalar-List-Utils-1.410.0-r1                           hppa
virtual/perl-Socket-2.18.0-r1                                       hppa
virtual/perl-Term-ANSIColor-4.30.0-r1                               hppa
virtual/perl-Term-ReadLine-1.150.0-r2                               hppa
virtual/perl-Test-Simple-1.1.14_p522-r1                             hppa
virtual/perl-Text-Balanced-2.30.0-r2                                hppa
virtual/perl-Text-ParseWords-3.300.0-r2                             hppa
virtual/perl-Unicode-Collate-1.120.0-r1                             hppa
virtual/perl-Unicode-Normalize-1.180.0-r1                           hppa
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-12 13:35:11 UTC
Stable on alpha.
Comment 5 Markus Meier gentoo-dev 2016-12-17 07:05:02 UTC
arm stable
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-12-17 08:33:00 UTC
amd64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-23 00:23:21 UTC
x86 stable
Comment 8 Andreas K. Hüttel archtester gentoo-dev 2017-01-05 10:23:38 UTC
hppa, ia64, ppc, ppc64, sparc: ping pretty please!
Comment 9 Andreas K. Hüttel archtester gentoo-dev 2017-01-05 10:30:30 UTC
Created attachment 458804 [details]
stabilization list

Add attached stabilization list (identical to the one above)
Comment 10 Stabilization helper bot gentoo-dev 2017-01-07 14:27:54 UTC
An automated check of this bug failed - the following atom is unknown:

#

Please verify the atom list.
Comment 11 Stabilization helper bot gentoo-dev 2017-01-07 14:42:28 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad virtual/perl-Package-Constants/perl-Package-Constants-0.60.0-r1.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['~perl-core/Package-Constants-0.60.0']
Comment 12 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2017-01-07 23:44:26 UTC
Created attachment 459118 [details]
stabilization list

Updated stabilization list:

- Reduced to show only work remaining to be done
- Added missing perl-core/ nodes required to sustain lagging hppa
Comment 13 Agostino Sarubbo gentoo-dev 2017-01-15 15:55:43 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2017-01-17 14:32:15 UTC
ia64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2017-01-18 09:51:17 UTC
sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2017-01-18 10:04:50 UTC
ppc64 stable
Comment 17 Andreas K. Hüttel archtester gentoo-dev 2017-01-18 11:23:50 UTC
hppa: ping pretty please
Comment 18 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-21 14:04:08 UTC
Stable for HPPA.
Comment 19 Andreas K. Hüttel archtester gentoo-dev 2017-01-21 18:47:37 UTC
@ security: please go ahead with GLSAs as applicable, here and also in related bugs

Since masking the old versions confuses the portage dependency resolver, I'd rather not do that. 

Cleanup in a bit, when everyone has for sure updated (absent old ebuilds also confuse portage, yay).
Comment 20 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-21 22:10:49 UTC
New GLSA request filed.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2017-01-29 23:45:46 UTC
This issue was resolved and addressed in
 GLSA 201701-75 at https://security.gentoo.org/glsa/201701-75
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 22 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-29 23:48:17 UTC
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <dev-lang/perl-5.22.3_rc4 or apply masks indicating a security problem!
Comment 23 Kent Fredric (IRC: kent\n) (RETIRED) gentoo-dev 2017-02-19 15:43:34 UTC
Affected Perl versions cleaned up as of:

commit:  2777260fbdd69f8c09cb1477ec96501e93cf4731
author:  2017-01-24 20:05:47 +0000 Kent Fredric <kentnl@gentoo.org>
commit:  2017-02-19 15:22:28 +0000 Kent Fredric <kentnl@gentoo.org>
gpg-key: E854324B1366A820

    dev-lang/perl, virtual/perl-*: Cleanup 5.20* and eblits re bug #589680 and bug #586418

    Bug: https://bugs.gentoo.org/586418
    Bug: https://bugs.gentoo.org/589680
Comment 24 Aaron Bauman (RETIRED) gentoo-dev 2017-02-22 11:03:25 UTC
tree is clean.
Comment 25 Andreas K. Hüttel archtester gentoo-dev 2017-02-22 19:36:09 UTC
perl out