Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add reports in all modules listed in CVE-2016-1238 #185

Open
7 of 12 tasks
briandfoy opened this issue Dec 31, 2024 · 1 comment
Open
7 of 12 tasks

Add reports in all modules listed in CVE-2016-1238 #185

briandfoy opened this issue Dec 31, 2024 · 1 comment
Assignees
@briandfoy
Labels
CVE A Common Vulnerabilities and Exposures report Status: needs help needs outside expertise or capacity

Comments

@briandfoy
Copy link
Owner

briandfoy commented Dec 31, 2024
edited
Loading

Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

These are all the programs listed in CVE-2016-1238. Some of these are listed simply because they are included in perl, so we need to evaluate which of these are actual problems and which should be listed as advisories since we cannot fix them prior to v5.26:

  • Archive::Tar (ptar, ptardiff, ptargrep) (already reported, fixed in 2.10)
  • CPAN (cpan)
  • Digest::SHA (shasum) Digest-SHA #180
  • Encode (unidump, ucmlint) (already reported, fixed in 2.85)
  • ExtUtils::Makemaker (instmodsh) (already reported, fixed in 7.22)
  • IO::Compress (zipdetails) (already reported, fixed in 2.070)
  • JSON::PP (json_pp)
  • Test::Harness (prove)
  • ExtUtils::ParseXS (xsubpp) (fixed in 3.35 - https://metacpan.org/dist/ExtUtils-ParseXS/changes)
  • Module::CoreList (corelist)
  • Pod::Html (pod2html)
  • perl (fixed in 5.24.1)
@briandfoy briandfoy added Status: needs help needs outside expertise or capacity CVE A Common Vulnerabilities and Exposures report labels Dec 31, 2024
@briandfoy briandfoy mentioned this issue Dec 31, 2024
Closed
@briandfoy
Copy link
Owner Author

briandfoy commented Dec 31, 2024
edited
Loading

There are some problems with this security issue.

First, the problem is that perl previously included . in the default search path. That meant that directories the user did not intend to search are searched merely by being the current working directory.

However, the users can still get around this with something like PERL5OPT=-I$(cwd) (or whatever the correct shell syntax is). That's not much of a stretch beyond someone controlling the starting directory or choosing where to put malicious modules. This makes virtually all of CPAN vulnerable.

Second, the versions of some of these modules may have not changed in the affected versions. Or maybe they did. This takes a bit of work to figure out if these modules changed their source to respond to this, or merely changed versions around v5.26 for other reasons.

Third, a module might not fix a problem on its own, and being dual-lived, have a version included with v5.26 installed on earlier versions. The module is then only vulnerable based on the perl version.

briandfoy added a commit that referenced this issue Dec 31, 2024
@briandfoy
CVE-2016-1238 (, in @inc) for ExtUtils::ParseXS (#185)
7a40202 
Also see #180.
briandfoy added a commit that referenced this issue Dec 31, 2024
@briandfoy
Add CVE-2016-1238 to perl (#185)
96f585f
@briandfoy briandfoy self-assigned this Dec 31, 2024
briandfoy added a commit that referenced this issue Dec 31, 2024
@briandfoy
regenerate data after #180 and #185
e6f806e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@briandfoy briandfoy

Labels
CVE A Common Vulnerabilities and Exposures report Status: needs help needs outside expertise or capacity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@briandfoy