cpan-audit
cpan-audit copied to clipboard
Published
20 hours ago •
briandfoy
briandfoy
command installed: change audited module version range
trafficstars
When auditing installed modules with command "installed" the audited version range is $version. This results in false positives for modules having advisories with an affected version range >=$version_affected assigned where $version < $version_affected.
This commit changes the audited version range to ==$version.
If there's a problem, it's probably going to be in CPAN::Audit::Query::advisories for, where I find the comment:
# select only the known distribution versions from the database,
# ignoring all others. For example, if $dist_version_range is
# ">5.1", we don't care about any versions less than or equal to 5.1.
# If $dist_version_range is "5.1", that really means ">=5.1"
But, I still don't understand the problem and could use an example of where it fails to figure out if it's working as designed (which might be different than expectations) or if there's something to fix.
I try to illustrate my case. Suppose you have:
perl -v
This is perl 5, version 24, subversion 4 (v5.24.4) built for x86_64-linux
(with 1 registered patch, see perl -V for more detail)
...
Running cpan-audit installed before the patch in question regarding advisories of the distribution perl is equivalent to:
cpan-audit dist perl '5.024004'
(This is actually equivalent to cpan-audit dist perl '>=5.024004' as you pointed out correctly in your comment above.)
And yields 16 advisories:
perl (requires 5.024004) has 16 advisories
* CPANSA-perl-2018-18313
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
Affected range: <5.26.3
Fixed range: >=5.26.3
CVEs: CVE-2018-18313
References:
https://www.debian.org/security/2018/dsa-4347
https://usn.ubuntu.com/3834-2/
https://rt.perl.org/Ticket/Display.html?id=133192
https://metacpan.org/changes/release/SHAY/perl-5.26.3
https://lists.fedoraproject.org/archives/list/[email protected]/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62
https://bugzilla.redhat.com/show_bug.cgi?id=1646738
http://www.securitytracker.com/id/1042181
https://usn.ubuntu.com/3834-1/
https://access.redhat.com/errata/RHSA-2019:0010
https://access.redhat.com/errata/RHSA-2019:0001
https://security.netapp.com/advisory/ntap-20190221-0003/
https://support.apple.com/kb/HT209600
https://seclists.org/bugtraq/2019/Mar/42
http://seclists.org/fulldisclosure/2019/Mar/49
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2018-18311
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
Affected range: <5.28.1
Fixed range: >=5.28.1
CVEs: CVE-2018-18311
References:
https://www.debian.org/security/2018/dsa-4347
https://usn.ubuntu.com/3834-2/
https://rt.perl.org/Ticket/Display.html?id=133204
https://metacpan.org/changes/release/SHAY/perl-5.28.1
https://metacpan.org/changes/release/SHAY/perl-5.26.3
https://lists.fedoraproject.org/archives/list/[email protected]/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
https://lists.debian.org/debian-lts-announce/2018/11/msg00039.html
https://github.com/Perl/perl5/commit/34716e2a6ee2af96078d62b065b7785c001194be
https://bugzilla.redhat.com/show_bug.cgi?id=1646730
http://www.securitytracker.com/id/1042181
https://usn.ubuntu.com/3834-1/
http://www.securityfocus.com/bid/106145
https://access.redhat.com/errata/RHSA-2019:0010
https://access.redhat.com/errata/RHSA-2019:0001
https://access.redhat.com/errata/RHSA-2019:0109
https://security.netapp.com/advisory/ntap-20190221-0003/
https://support.apple.com/kb/HT209600
https://seclists.org/bugtraq/2019/Mar/42
http://seclists.org/fulldisclosure/2019/Mar/49
https://kc.mcafee.com/corporate/index?page=content&id=SB10278
https://access.redhat.com/errata/RHBA-2019:0327
https://access.redhat.com/errata/RHSA-2019:1790
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://access.redhat.com/errata/RHSA-2019:1942
https://access.redhat.com/errata/RHSA-2019:2400
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2023-47100
In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.
Affected range: >=5.30.0,<5.36.3
>=5.38.0,<5.38.2
Fixed range: >=5.38.2
CVEs: CVE-2023-47100
References:
https://github.com/Perl/perl5/commit/ff1f9f59360afeebd6f75ca1502f5c3ebf077da3
https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
* CPANSA-perl-2018-6797
An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.
Affected range: >=5.18.0,<5.28.0
Fixed range: >=5.28.0
CVEs: CVE-2018-6797
References:
https://www.debian.org/security/2018/dsa-4172
https://rt.perl.org/Public/Bug/Display.html?id=132227
http://www.securitytracker.com/id/1040681
https://access.redhat.com/errata/RHSA-2018:1192
https://usn.ubuntu.com/3625-1/
http://www.securitytracker.com/id/1042004
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2018-6913
Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.
Affected range: <5.26.2
Fixed range: >=5.26.2
CVEs: CVE-2018-6913
References:
https://www.debian.org/security/2018/dsa-4172
https://rt.perl.org/Public/Bug/Display.html?id=131844
https://lists.debian.org/debian-lts-announce/2018/04/msg00009.html
http://www.securitytracker.com/id/1040681
https://usn.ubuntu.com/3625-2/
https://usn.ubuntu.com/3625-1/
http://www.securityfocus.com/bid/103953
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2023-47039
Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory.
An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.
Affected range: <=5.38.0
Fixed range:
CVEs: CVE-2023-47039
References:
* CPANSA-perl-2018-6798
An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.
Affected range: >=5.22.0,<5.28.0
Fixed range: >=5.28.0
CVEs: CVE-2018-6798
References:
https://www.debian.org/security/2018/dsa-4172
https://rt.perl.org/Public/Bug/Display.html?id=132063
http://www.securitytracker.com/id/1040681
https://access.redhat.com/errata/RHSA-2018:1192
https://usn.ubuntu.com/3625-1/
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2020-12723
regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
Affected range: <5.30.3
Fixed range: >=5.30.3
CVEs: CVE-2020-12723
References:
https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
https://github.com/Perl/perl5/issues/16947
https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a
https://github.com/Perl/perl5/issues/17743
https://security.netapp.com/advisory/ntap-20200611-0001/
https://security.gentoo.org/glsa/202006-03
https://lists.fedoraproject.org/archives/list/[email protected]/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
* CPANSA-perl-2017-12883
Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape.
Affected range: <5.26.1
Fixed range: >=5.26.1
CVEs: CVE-2017-12883
References:
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f#patch1
https://bugzilla.redhat.com/show_bug.cgi?id=1492093
http://www.securityfocus.com/bid/100852
http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/lang-base/perl/patches/CVE-2017-12883.patch
https://rt.perl.org/Public/Bug/Display.html?id=131598
http://www.debian.org/security/2017/dsa-3982
https://security.netapp.com/advisory/ntap-20180426-0001/
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2018-18314
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
Affected range: <5.26.3
Fixed range: >=5.26.3
CVEs: CVE-2018-18314
References:
https://www.debian.org/security/2018/dsa-4347
https://rt.perl.org/Ticket/Display.html?id=131649
https://metacpan.org/changes/release/SHAY/perl-5.26.3
https://lists.fedoraproject.org/archives/list/[email protected]/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
https://github.com/Perl/perl5/commit/19a498a461d7c81ae3507c450953d1148efecf4f
https://bugzilla.redhat.com/show_bug.cgi?id=1646751
http://www.securitytracker.com/id/1042181
https://usn.ubuntu.com/3834-1/
http://www.securityfocus.com/bid/106145
https://access.redhat.com/errata/RHSA-2019:0010
https://access.redhat.com/errata/RHSA-2019:0001
https://security.netapp.com/advisory/ntap-20190221-0003/
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2017-12814
Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.
Affected range: >=5.24.0,<=5.26.0
Fixed range:
CVEs: CVE-2017-12814
References:
https://rt.perl.org/Public/Bug/Display.html?id=131665
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
http://www.securityfocus.com/bid/101051
https://security.netapp.com/advisory/ntap-20180426-0001/
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2017-12837
Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\\N{}' escape and the case-insensitive modifier.
Affected range: <5.26.1
Fixed range: >=5.28.1
CVEs: CVE-2017-12837
References:
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5
https://bugzilla.redhat.com/show_bug.cgi?id=1492091
http://www.securityfocus.com/bid/100860
https://rt.perl.org/Public/Bug/Display.html?id=131582
http://www.debian.org/security/2017/dsa-3982
https://security.netapp.com/advisory/ntap-20180426-0001/
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2020-10543
Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
Affected range: <5.30.3
Fixed range: >=5.30.3
CVEs: CVE-2020-10543
References:
https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed
https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
https://security.netapp.com/advisory/ntap-20200611-0001/
https://security.gentoo.org/glsa/202006-03
https://lists.fedoraproject.org/archives/list/[email protected]/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
* CPANSA-perl-2023-47038
A crafted regular expression when compiled by perl 5.30.0 through 5.38.0 can cause a one attacker controlled byte buffer overflow in a heap allocated buffer
Affected range: >=5.30.0,<5.34.3
>=5.36.0,<5.36.3
>=5.38.0,<5.38.2
Fixed range: 5.34.3
5.36.3
5.38.2
CVEs: CVE-2023-47038
References:
* CPANSA-perl-2018-18312
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
Affected range: <5.28.1
Fixed range: >=5.28.1
CVEs: CVE-2018-18312
References:
https://www.debian.org/security/2018/dsa-4347
https://rt.perl.org/Public/Bug/Display.html?id=133423
https://metacpan.org/changes/release/SHAY/perl-5.28.1
https://metacpan.org/changes/release/SHAY/perl-5.26.3
https://lists.fedoraproject.org/archives/list/[email protected]/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
https://bugzilla.redhat.com/show_bug.cgi?id=1646734
http://www.securitytracker.com/id/1042181
https://usn.ubuntu.com/3834-1/
http://www.securityfocus.com/bid/106179
https://access.redhat.com/errata/RHSA-2019:0010
https://access.redhat.com/errata/RHSA-2019:0001
https://security.netapp.com/advisory/ntap-20190221-0003/
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2020-10878
Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
Affected range: <5.30.3
Fixed range: >=5.30.3
CVEs: CVE-2020-10878
References:
https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c
https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8
https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
https://security.netapp.com/advisory/ntap-20200611-0001/
https://security.gentoo.org/glsa/202006-03
https://lists.fedoraproject.org/archives/list/[email protected]/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
With the patch it is equivalent to:
cpan-audit dist perl '==5.024004'
And yields 14 advisories:
perl (requires ==5.024004) has 14 advisories
* CPANSA-perl-2018-18313
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.
Affected range: <5.26.3
Fixed range: >=5.26.3
CVEs: CVE-2018-18313
References:
https://www.debian.org/security/2018/dsa-4347
https://usn.ubuntu.com/3834-2/
https://rt.perl.org/Ticket/Display.html?id=133192
https://metacpan.org/changes/release/SHAY/perl-5.26.3
https://lists.fedoraproject.org/archives/list/[email protected]/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62
https://bugzilla.redhat.com/show_bug.cgi?id=1646738
http://www.securitytracker.com/id/1042181
https://usn.ubuntu.com/3834-1/
https://access.redhat.com/errata/RHSA-2019:0010
https://access.redhat.com/errata/RHSA-2019:0001
https://security.netapp.com/advisory/ntap-20190221-0003/
https://support.apple.com/kb/HT209600
https://seclists.org/bugtraq/2019/Mar/42
http://seclists.org/fulldisclosure/2019/Mar/49
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2023-47039
Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory.
An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.
Affected range: <=5.38.0
Fixed range:
CVEs: CVE-2023-47039
References:
* CPANSA-perl-2017-12837
Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\\N{}' escape and the case-insensitive modifier.
Affected range: <5.26.1
Fixed range: >=5.28.1
CVEs: CVE-2017-12837
References:
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5
https://bugzilla.redhat.com/show_bug.cgi?id=1492091
http://www.securityfocus.com/bid/100860
https://rt.perl.org/Public/Bug/Display.html?id=131582
http://www.debian.org/security/2017/dsa-3982
https://security.netapp.com/advisory/ntap-20180426-0001/
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2020-10543
Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
Affected range: <5.30.3
Fixed range: >=5.30.3
CVEs: CVE-2020-10543
References:
https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed
https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
https://security.netapp.com/advisory/ntap-20200611-0001/
https://security.gentoo.org/glsa/202006-03
https://lists.fedoraproject.org/archives/list/[email protected]/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
* CPANSA-perl-2018-6797
An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.
Affected range: >=5.18.0,<5.28.0
Fixed range: >=5.28.0
CVEs: CVE-2018-6797
References:
https://www.debian.org/security/2018/dsa-4172
https://rt.perl.org/Public/Bug/Display.html?id=132227
http://www.securitytracker.com/id/1040681
https://access.redhat.com/errata/RHSA-2018:1192
https://usn.ubuntu.com/3625-1/
http://www.securitytracker.com/id/1042004
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2017-12814
Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.
Affected range: >=5.24.0,<=5.26.0
Fixed range:
CVEs: CVE-2017-12814
References:
https://rt.perl.org/Public/Bug/Display.html?id=131665
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
http://www.securityfocus.com/bid/101051
https://security.netapp.com/advisory/ntap-20180426-0001/
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2017-12883
Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape.
Affected range: <5.26.1
Fixed range: >=5.26.1
CVEs: CVE-2017-12883
References:
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1
https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f#patch1
https://bugzilla.redhat.com/show_bug.cgi?id=1492093
http://www.securityfocus.com/bid/100852
http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/lang-base/perl/patches/CVE-2017-12883.patch
https://rt.perl.org/Public/Bug/Display.html?id=131598
http://www.debian.org/security/2017/dsa-3982
https://security.netapp.com/advisory/ntap-20180426-0001/
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2018-6913
Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.
Affected range: <5.26.2
Fixed range: >=5.26.2
CVEs: CVE-2018-6913
References:
https://www.debian.org/security/2018/dsa-4172
https://rt.perl.org/Public/Bug/Display.html?id=131844
https://lists.debian.org/debian-lts-announce/2018/04/msg00009.html
http://www.securitytracker.com/id/1040681
https://usn.ubuntu.com/3625-2/
https://usn.ubuntu.com/3625-1/
http://www.securityfocus.com/bid/103953
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2020-10878
Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.
Affected range: <5.30.3
Fixed range: >=5.30.3
CVEs: CVE-2020-10878
References:
https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c
https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8
https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
https://security.netapp.com/advisory/ntap-20200611-0001/
https://security.gentoo.org/glsa/202006-03
https://lists.fedoraproject.org/archives/list/[email protected]/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
* CPANSA-perl-2018-18312
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
Affected range: <5.28.1
Fixed range: >=5.28.1
CVEs: CVE-2018-18312
References:
https://www.debian.org/security/2018/dsa-4347
https://rt.perl.org/Public/Bug/Display.html?id=133423
https://metacpan.org/changes/release/SHAY/perl-5.28.1
https://metacpan.org/changes/release/SHAY/perl-5.26.3
https://lists.fedoraproject.org/archives/list/[email protected]/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
https://bugzilla.redhat.com/show_bug.cgi?id=1646734
http://www.securitytracker.com/id/1042181
https://usn.ubuntu.com/3834-1/
http://www.securityfocus.com/bid/106179
https://access.redhat.com/errata/RHSA-2019:0010
https://access.redhat.com/errata/RHSA-2019:0001
https://security.netapp.com/advisory/ntap-20190221-0003/
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2018-6798
An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.
Affected range: >=5.22.0,<5.28.0
Fixed range: >=5.28.0
CVEs: CVE-2018-6798
Affected range: >=5.30.0,<5.34.3
>=5.36.0,<5.36.3
>=5.38.0,<5.38.2
Fixed range: 5.34.3
5.36.3
5.38.2
References:
https://www.debian.org/security/2018/dsa-4172
https://rt.perl.org/Public/Bug/Display.html?id=132063
http://www.securitytracker.com/id/1040681
https://access.redhat.com/errata/RHSA-2018:1192
https://usn.ubuntu.com/3625-1/
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2018-18311
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
Affected range: <5.28.1
Fixed range: >=5.28.1
CVEs: CVE-2018-18311
References:
https://www.debian.org/security/2018/dsa-4347
https://usn.ubuntu.com/3834-2/
https://rt.perl.org/Ticket/Display.html?id=133204
https://metacpan.org/changes/release/SHAY/perl-5.28.1
https://metacpan.org/changes/release/SHAY/perl-5.26.3
https://lists.fedoraproject.org/archives/list/[email protected]/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
https://lists.debian.org/debian-lts-announce/2018/11/msg00039.html
https://github.com/Perl/perl5/commit/34716e2a6ee2af96078d62b065b7785c001194be
https://bugzilla.redhat.com/show_bug.cgi?id=1646730
http://www.securitytracker.com/id/1042181
https://usn.ubuntu.com/3834-1/
http://www.securityfocus.com/bid/106145
https://access.redhat.com/errata/RHSA-2019:0010
https://access.redhat.com/errata/RHSA-2019:0001
https://access.redhat.com/errata/RHSA-2019:0109
https://security.netapp.com/advisory/ntap-20190221-0003/
https://support.apple.com/kb/HT209600
https://seclists.org/bugtraq/2019/Mar/42
http://seclists.org/fulldisclosure/2019/Mar/49
https://kc.mcafee.com/corporate/index?page=content&id=SB10278
https://access.redhat.com/errata/RHBA-2019:0327
https://access.redhat.com/errata/RHSA-2019:1790
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://access.redhat.com/errata/RHSA-2019:1942
https://access.redhat.com/errata/RHSA-2019:2400
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2018-18314
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
Affected range: <5.26.3
Fixed range: >=5.26.3
CVEs: CVE-2018-18314
References:
https://www.debian.org/security/2018/dsa-4347
https://rt.perl.org/Ticket/Display.html?id=131649
https://metacpan.org/changes/release/SHAY/perl-5.26.3
https://lists.fedoraproject.org/archives/list/[email protected]/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
https://github.com/Perl/perl5/commit/19a498a461d7c81ae3507c450953d1148efecf4f
https://bugzilla.redhat.com/show_bug.cgi?id=1646751
http://www.securitytracker.com/id/1042181
https://usn.ubuntu.com/3834-1/
http://www.securityfocus.com/bid/106145
https://access.redhat.com/errata/RHSA-2019:0010
https://access.redhat.com/errata/RHSA-2019:0001
https://security.netapp.com/advisory/ntap-20190221-0003/
https://security.gentoo.org/glsa/201909-01
https://www.oracle.com/security-alerts/cpujul2020.html
* CPANSA-perl-2020-12723
regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.
Affected range: <5.30.3
Fixed range: >=5.30.3
CVEs: CVE-2020-12723
References:
https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
https://github.com/Perl/perl5/issues/16947
https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a
https://github.com/Perl/perl5/issues/17743
https://security.netapp.com/advisory/ntap-20200611-0001/
https://security.gentoo.org/glsa/202006-03
https://lists.fedoraproject.org/archives/list/[email protected]/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html
Note this time the following advisories are missing:
CPANSA-perl-2023-47100
Affected range: >=5.30.0,<5.36.3
>=5.38.0,<5.38.2
Fixed range: >=5.38.2
and
CPANSA-perl-2023-47038
Affected range: >=5.30.0,<5.34.3
>=5.36.0,<5.36.3
>=5.38.0,<5.38.2
Fixed range: 5.34.3
5.36.3
5.38.2
I argue that the patched version is more useful and also more in line with what one would expect from a command named installed: "Audit the installed distributions for known vulnerabilities. I do not care if later (not presently installed) versions of that distributions will introduce vulnerabilities. Leave this to the deps command."
(As an aside: It turned out that it is not reflected by the advisory database that some CVEs have been addressed already in maintenance versions of perl v5.24.x.)
Are you using the latest CPAN::Audit? Can you show the output of cpan-audit --version?
When I run cpan-audit5.24.4 dist perl 5.024004 on perl 5.24.4, I get 14 advisories and I don't get the CPANSA-perl-2023-47100 or CPANSA-perl-2023-47038 reports. Note that the exit code is the number of reports plus 64 (so, 14 in this case):
$ cpan-audit5.24.4 --version
CPAN::Audit 20240908.001
$ cpan-audit5.24.4 dist perl 5.024004 > /dev/null
$ echo $?
78
This is not the same thing as cpan-audit installed, which only returns two reports (File::Temp and CPAN::Checksums). You'll have to explain that connection a bit more.
There's a chance that with older data there was some error in the report that forms the basis of the database, and that this error was fixed.
Can you also show me the output of cpan-audit5.24.4 show CPANSA-perl-2023-47100?
Took me a while to reach this guess: Are you using the still to be released CPANSA::DB locally?
When using CPAN::Audit::DB instead during the evaluation of $Module::CoreList::version{$]} some core modules are mapped to dist perl by module2dist and therefor perl is added to $dists even in the absence of option include_perl.
Only by chance it seems the correct version for dist perl is figured out as B::Op_private is at version 5.024004 and ranks highest of all core modules that are mapped to dist perl.
(Hope I am not too wrong here as this analysis happened in a hurry.)
As per your request:
$something/bin/cpan-audit version 1.502 using:
CPAN::Audit 20240908.001
CPANSA::DB
cpan-audit show CPANSA-perl-2023-47100
* CPANSA-perl-2023-47100
In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.
Affected range: >=5.30.0,<5.36.3
>=5.38.0,<5.38.2
Fixed range: >=5.38.2
CVEs: CVE-2023-47100
References:
https://github.com/Perl/perl5/commit/ff1f9f59360afeebd6f75ca1502f5c3ebf077da3
https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
I added the t/cli/dist.t test for this check. It passes GitHub Actions and I've released 20240911.001_01 so CPAN Testers can check it. So far the tests have not seen the same reports that you note in this issue.
Heh, you were right. I had a CPANSA::DB lying around in one version of perl that I was using to test this. And, there was a bug in --version that kept that from showing up.
I think we are seeing the same output here, although I also fixed up several of the perl reports too.
There are a couple ways to go with the dist command:
- leave this alone because this is the existing behavior. You'd have to use the
==explicitly to get what you want. However, this needs to be documented. - change the existing behavior such that a version range on the command line is implicitly
==instead of '>=' if no range characters are specified. This still needs to be documented. - change CPAN::Audit::Version::in_range to make
==the default. This might do more than we really want, but I think it might be the better fix. This means we don't have to do weird things in any other step because it happens for us already. I'm leaning toward this one.
Regarding the dist command: I recommend not to change CPAN::Audit::Version::in_range's interpretation of version ranges with no range characters specified. Its present interpretation maps nicely to the cpanfile spec and one would have to adjust the implementation of the deps command to cater for this reinterpretation then. I do not think it would be a win.
I would rather want to see the first option plus emitting an informational message when a plain $version is specified saying that this has been interpreted as >=$version and to use "==$version" if this has not been intended.
I think we are seeing the same output here, although I also fixed up several of the perl reports too.
As I am not a native English speaker this is unclear to me: Are you saying after fixing the CPANSA::DB issue you see CPANSA-perl-2023-47038 and CPANSA-perl-2023-47100 listed in the result of a dist perl 5.024004? Or that nothing has changed compared to before this fix and the report does not list those advisories?
One could also make a plain version as argument to the dist and module commands fatal and advise the user to specify either ==$version or >=$version instead.
To me, it seems like saying "version 6.1 please" should just mean version 6.1.
Version specs are "greater than or equal to" in dependency lists because defaulting to exact versions would make getting new versions of modules a whole lot more work
I haven't forgotten about this issue. I think in general this is the right solution but I want to look at it carefully to make sure it works. Since I didn't write most of this code, I don't quite understand how all of it plays together. I also need to try it in a clean environment.
A fix for this is in the latest trial release. I plan on releasing a new version next week. If you find anything weird in the trial, let me know:
This is now released as 20241208.001. If you find anything odd, open a new issue please.