[xsawyerx@gmail.com: CVE-2016-1238: Important unsafe module load path flaw]

To: debian-perl@lists.debian.org
Subject: [xsawyerx@gmail.com: CVE-2016-1238: Important unsafe module load path flaw]
From: Dominic Hargreaves <dom@earth.li>
Date: Mon, 25 Jul 2016 15:15:30 +0100
Message-id: <[🔎] 20160725141530.GA27403@urchin.earth.li>

Dear all,

An update to perl, and several other packages, is on its way to jessie
as part of a DSA. I'm preparing the similar package for sid now.

I could use some help dealing with the extra packages for sid.

Please could team members look at the patches I've applied in the
jessie-security branches of

- libmodule-build-perl
- libmime-charset-perl
- libmime-encwords-perl
- libnet-dns-perl

and apply a similar fix to sid and forwarding upstream? These are the
team-maintained packages that were found to be particularly vulnerable
to the issue described below.

Thanks,
Dominic.

----- Forwarded message from Sawyer X <xsawyerx@gmail.com> -----

Date: Mon, 25 Jul 2016 15:17:44 +0200
From: Sawyer X <xsawyerx@gmail.com>
To: Perl5 Porters <perl5-porters@perl.org>
Subject: CVE-2016-1238: Important unsafe module load path flaw

Steve Hay just pushed fixes for CVE-2016-1238 to maint-5.22 and
maint-5.24 for:
https://rt.perl.org/Ticket/Display.html?id=127834

Steve has also just released RCs for 5.22.3 and 5.24.1 carrying these fixes:

http://nntp.perl.org/group/perl.perl5.porters/238269
http://nntp.perl.org/group/perl.perl5.porters/238270


The problem relates to Perl 5 ("perl") loading modules from the includes
directory array ("@INC") in which the last element is the current
directory ("."). For more information, see the RT ticket linked above.

While the Perl Security group has attempted to mitigate some of these
problems by modifying Perl Modules, it is ultimately the responsibility
of the application writer to remove relative paths from @INC to assure
the security / consistent behavior of their code regardless of what
directory it executes from.

The fix is to check if the last entry of @INC is "." and if so, to
remove it as an included path.

The following line, when added to the top of Perl applications, should
mitigate this problem. This assumes your code is not intentionally
depending on paths relative to your current working directory:

    BEGIN { pop @INC if $INC[-1] eq '.' }

We would also like to discourage using relative paths in @INC.

This problem was first reported by John Lightsey and Todd Rinaldo,
courtesy of the cPanel Security Team at cPanel. The CVE is courtesy of
Debian. The fix was done by Tony Cook.

-- Sawyer X, p5p.


----- End forwarded message -----

Reply to:

Follow-Ups:
- Re: [xsawyerx@gmail.com: CVE-2016-1238: Important unsafe module load path flaw]
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: [xsawyerx@gmail.com: CVE-2016-1238: Important unsafe module load path flaw]
  - From: gregor herrmann <gregoa@debian.org>

Prev by Date: Status of new libtest-simple-perl
Next by Date: Re: [xsawyerx@gmail.com: CVE-2016-1238: Important unsafe module load path flaw]
Previous by thread: Re: Status of new libtest-simple-perl
Next by thread: Re: [xsawyerx@gmail.com: CVE-2016-1238: Important unsafe module load path flaw]
Index(es):
- Date
- Thread