Bugzilla – Bug 988311
VUL-0: CVE-2016-6185: perl: XSLoader loads relative paths not included in @INC
Last modified: 2020-09-24 13:23:04 UTC
somewhat similar to (currently embargoed) bug 987887 Jakub Wilk reported in [1] that the Perl module List::MoreUtils tried to load code from a subdirectory of the current working directory despite explicitly removing the current directory from @INC, which could lead to the execution of arbitrary code if cwd is unstrusted, as demonstrated in the bugreport. While analyzing the issue[2], it turns out that the issue is actually in XSLoader, which uses caller() information to locate the .so file to load. This can be incorrect if XSLoader::load() is called in a string eval. The fix commited upstream is [3]. @MITRE: Could you please assign a CVE for this issue in XSLoader? Do you think List::MoreUtils needs a separate CVE as well, despite the underlying issue lying in XSLoader[4]? Regards, Salvatore [1] https://bugs.debian.org/829138 [2] https://rt.cpan.org/Ticket/Display.html?id=115808 [3] http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7 [4] https://bugs.debian.org/829578 $ zypper info --provides apache2-mod_perl | grep XSLoader perl(APR::XSLoader) perl(Apache2::XSLoader) $ zypper info --provides perl-base | grep XSLoader perl(XSLoader) == 0.16 devel:languages:perl perl-XSLoader References: https://bugzilla.redhat.com/show_bug.cgi?id=1354386 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6185 http://seclists.org/oss-sec/2016/q3/28 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6185.html
bugbot adjusting priority
Reproducer hint: So if someone creates a directory named ‘(eval 1)’ with a naughty binary file in it, it will be loaded if a script using Foo::Bar is run in the parent directory.
SUSE-SU-2016:2246-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 929027,967082,987887,988311 CVE References: CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): perl-5.10.0-64.80.1 SUSE Linux Enterprise Server 11-SP4 (src): perl-5.10.0-64.80.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): perl-5.10.0-64.80.1
SUSE-SU-2016:2263-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 928292,932894,967082,984906,987887,988311 CVE References: CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): perl-5.18.2-11.1 SUSE Linux Enterprise Desktop 12-SP1 (src): perl-5.18.2-11.1
openSUSE-SU-2016:2313-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 928292,932894,967082,984906,987887,988311 CVE References: CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185 Sources used: openSUSE Leap 42.1 (src): perl-5.18.2-5.1
seems released
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-07-10. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64075
Released.