The tools and many modules supplied in core Perl search the default current directory entry in @INC for optional modules. This allows an attacker to inject an optional module into a process run by another user where the current directory is writable by the attacker, eg. the /tmp directory. See also: https://rt.perl.org/Public/Bug/Display.html?id=127834 To be fixed in 5.22.3 and 5.24.1, release is pending
CVE-2016-1238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1238): (1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.
For the record, statement from perl team (written by kent\n) ---------------------------------------------------------------- Perl 5.22.3 is getting to a stage of "ridiculous amounts of time shipping a critical release" now and so we're planning on shipping one of their release candidates with their fixes. All the "Actually vulnerable modules" have been fixed and they're a done deal and there's no drama around them. There's only one place that's holding upstream back, and that's they think they need to severely break base.pm's API in a bugfix release. Due to the nature of this change, it does break a lot of things without actually changing the overall landscape of the security surface, and it seemed logical to me that the right thing to do security wise, is bypass upstream and ship their RC now with base.pm reverted into an "uncontentious" state. This way we can get 5.22.3 with as many security fixes as possible, now, instead of sitting here with no fixes for goodness knows how long, and we don't have to trade off with "uh oh, lots of code breaks" happening with our next stable candidate. The worst thing about the nature of this change is the primary risk audiences are audiences who have old code bases, especially not code-bases on CPAN, where base.pm could no longer see libraries that were designed to be loaded via './' implicit behaviour ( such as maybe some infra scripts ). Upstream don't even have a transition strategy in place, YOUR STUFF WILL JUST START BREAKING! The fear is I've/we've missed some important consideration, and I need the oversight of you dear people, but we don't want a possible PR disaster with "(LWN: Gentoo deliberatly ships vulnerable Perl)" or similar problems. [ I can see this email on wikileaks already with somebody on 4chan finding a smoking gun ] Upstreams changes to base.pm will eventually surface, and so far I think its sensible to slate that in 5.24.1+ instead, so that this API breakage will get adequate testing before we deem it "stable". Worst Case Scenario: We can still ship perl-5.22.3 with base.pm patched as upstream have later, at the price of breaking potentially everything. But I'd rather not.
Arches please stabilize the following dev-lang/perl and virtuals: # All arches needed action dev-lang/perl-5.22.3_rc4 all virtual/perl-Archive-Tar-2.40.100_rc-r1 all virtual/perl-bignum-0.390.100_rc all virtual/perl-CPAN-2.110.100_rc-r1 all virtual/perl-Digest-1.170.100_rc-r1 all virtual/perl-Digest-SHA-5.950.100_rc-r1 all virtual/perl-ExtUtils-Command-1.200.100_rc all virtual/perl-ExtUtils-MakeMaker-7.40.200_rc all virtual/perl-File-Spec-3.560.200_rc all virtual/perl-HTTP-Tiny-0.54.10_rc all virtual/perl-IO-Compress-2.68.1_rc all virtual/perl-IO-1.350.100_rc all virtual/perl-IPC-Cmd-0.920.100_rc-r1 all virtual/perl-JSON-PP-2.273.0.100_rc-r1 all virtual/perl-libnet-3.50.100_rc all virtual/perl-Locale-Maketext-1.260.100_rc-r1 all virtual/perl-Locale-Maketext-Simple-0.210.100_rc-r1 all virtual/perl-Memoize-1.30.100_rc-r1 all virtual/perl-Module-CoreList-5.201.610.192.200_rc all virtual/perl-Net-Ping-2.430.100_rc-r1 all virtual/perl-Parse-CPAN-Meta-1.441.400.100_rc all virtual/perl-Storable-2.530.200_rc all virtual/perl-Sys-Syslog-0.330.100_rc-r1 all virtual/perl-Test-Harness-3.350.100_rc all virtual/perl-Test-1.260.100_rc all virtual/perl-XSLoader-0.200.100_rc all # Arches that are lagging due to keyword history virtual/perl-AutoLoader-5.740.0-r3 arm hppa virtual/perl-ExtUtils-Constant-0.230.0-r9 arm virtual/perl-Module-Loaded-0.80.0-r7 arm virtual/perl-Safe-2.390.0-r2 arm virtual/perl-Thread-Queue-3.50.0-r2 arm virtual/perl-Thread-Semaphore-2.120.0-r7 arm virtual/perl-Tie-RefHash-1.390.0-r6 arm virtual/perl-Time-Piece-1.290.0-r1 arm hppa virtual/perl-threads-2.10.0-r1 arm hppa virtual/perl-threads-shared-1.480.0-r1 arm hppa # HPPA Lagging perl-core/Encode-2.730.0 hppa virtual/perl-Attribute-Handlers-0.970.0-r1 hppa virtual/perl-autodie-2.260.0-r1 hppa virtual/perl-B-Debug-1.230.0-r2 hppa virtual/perl-Carp-1.360.0-r1 hppa virtual/perl-Compress-Raw-Bzip2-2.68.0-r1 hppa virtual/perl-Compress-Raw-Zlib-2.68.0-r1 hppa virtual/perl-CPAN-Meta-2.150.1-r1 hppa virtual/perl-CPAN-Meta-Requirements-2.132.0-r1 hppa virtual/perl-Data-Dumper-2.158.0-r1 hppa virtual/perl-DB_File-1.835.0-r2 hppa virtual/perl-Devel-PPPort-3.310.0-r1 hppa virtual/perl-Digest-MD5-2.540.0-r2 hppa virtual/perl-Encode-2.730.0-r1 hppa virtual/perl-Exporter-5.720.0-r2 hppa virtual/perl-ExtUtils-CBuilder-0.280.221-r1 hppa virtual/perl-ExtUtils-Install-2.40.0-r2 hppa virtual/perl-ExtUtils-Manifest-1.700.0-r3 hppa virtual/perl-ExtUtils-ParseXS-3.280.0-r1 hppa virtual/perl-Filter-Simple-0.920.0-r2 hppa virtual/perl-Getopt-Long-2.450.0-r1 hppa virtual/perl-IO-Socket-IP-0.370.0-r2 hppa virtual/perl-if-0.60.400-r1 hppa virtual/perl-Math-BigInt-1.999.700-r1 hppa virtual/perl-Math-BigRat-0.260.800-r1 hppa virtual/perl-MIME-Base64-3.150.0-r2 hppa virtual/perl-Module-Load-Conditional-0.640.0-r2 hppa virtual/perl-parent-0.232.0-r1 hppa virtual/perl-Package-Constants-0.60.0-r1 hppa virtual/perl-Perl-OSType-1.8.0-r1 hppa virtual/perl-Pod-Escapes-1.70.0-r2 hppa virtual/perl-podlators-2.5.3-r2 hppa virtual/perl-Pod-Parser-1.630.0-r2 hppa virtual/perl-Pod-Simple-3.290.0-r1 hppa virtual/perl-Scalar-List-Utils-1.410.0-r1 hppa virtual/perl-Socket-2.18.0-r1 hppa virtual/perl-Term-ANSIColor-4.30.0-r1 hppa virtual/perl-Term-ReadLine-1.150.0-r2 hppa virtual/perl-Test-Simple-1.1.14_p522-r1 hppa virtual/perl-Text-Balanced-2.30.0-r2 hppa virtual/perl-Text-ParseWords-3.300.0-r2 hppa virtual/perl-Unicode-Collate-1.120.0-r1 hppa virtual/perl-Unicode-Normalize-1.180.0-r1 hppa
Stable on alpha.
arm stable
amd64 stable
x86 stable
hppa, ia64, ppc, ppc64, sparc: ping pretty please!
Created attachment 458804 [details] stabilization list Add attached stabilization list (identical to the one above)
An automated check of this bug failed - the following atom is unknown: # Please verify the atom list.
An automated check of this bug failed - repoman reported dependency errors: > dependency.bad virtual/perl-Package-Constants/perl-Package-Constants-0.60.0-r1.ebuild: RDEPEND: hppa(default/linux/hppa/13.0) ['~perl-core/Package-Constants-0.60.0']
Created attachment 459118 [details] stabilization list Updated stabilization list: - Reduced to show only work remaining to be done - Added missing perl-core/ nodes required to sustain lagging hppa
ppc stable
ia64 stable
sparc stable
ppc64 stable
hppa: ping pretty please
Stable for HPPA.
@ security: please go ahead with GLSAs as applicable, here and also in related bugs Since masking the old versions confuses the portage dependency resolver, I'd rather not do that. Cleanup in a bit, when everyone has for sure updated (absent old ebuilds also confuse portage, yay).
New GLSA request filed.
This issue was resolved and addressed in GLSA 201701-75 at https://security.gentoo.org/glsa/201701-75 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup. @ Maintainer(s): Please cleanup and drop <dev-lang/perl-5.22.3_rc4 or apply masks indicating a security problem!
Affected Perl versions cleaned up as of: commit: 2777260fbdd69f8c09cb1477ec96501e93cf4731 author: 2017-01-24 20:05:47 +0000 Kent Fredric <kentnl@gentoo.org> commit: 2017-02-19 15:22:28 +0000 Kent Fredric <kentnl@gentoo.org> gpg-key: E854324B1366A820 dev-lang/perl, virtual/perl-*: Cleanup 5.20* and eblits re bug #589680 and bug #586418 Bug: https://bugs.gentoo.org/586418 Bug: https://bugs.gentoo.org/589680
tree is clean.
perl out