cpan-security-advisory
cpan-security-advisory copied to clipboard
briandfoy
Add reports in all modules listed in CVE-2016-1238
Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.
These are all the programs listed in CVE-2016-1238. Some of these are listed simply because they are included in perl, so we need to evaluate which of these are actual problems and which should be listed as advisories since we cannot fix them prior to v5.26:
- [x] Archive::Tar (ptar, ptardiff, ptargrep) (already reported, fixed in 2.10)
- [ ] CPAN (cpan)
- [x] Digest::SHA (shasum) #180
- [x] Encode (unidump, ucmlint) (already reported, fixed in 2.85)
- [x] ExtUtils::Makemaker (instmodsh) (already reported, fixed in 7.22)
- [x] IO::Compress (zipdetails) (already reported, fixed in 2.070)
- [ ] JSON::PP (json_pp)
- [ ] Test::Harness (prove)
- [x] ExtUtils::ParseXS (xsubpp) (fixed in 3.35 - https://metacpan.org/dist/ExtUtils-ParseXS/changes)
- [ ] Module::CoreList (corelist)
- [ ] Pod::Html (pod2html)
- [x] perl (fixed in 5.24.1)
There are some problems with this security issue.
First, the problem is that perl previously included . in the default search path. That meant that directories the user did not intend to search are searched merely by being the current working directory.
However, the users can still get around this with something like PERL5OPT=-I$(cwd) (or whatever the correct shell syntax is). That's not much of a stretch beyond someone controlling the starting directory or choosing where to put malicious modules. This makes virtually all of CPAN vulnerable.
Second, the versions of some of these modules may have not changed in the affected versions. Or maybe they did. This takes a bit of work to figure out if these modules changed their source to respond to this, or merely changed versions around v5.26 for other reasons.
Third, a module might not fix a problem on its own, and being dual-lived, have a version included with v5.26 installed on earlier versions. The module is then only vulnerable based on the perl version.