CLD-16 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2016-1238 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) perl
Deficiency Type SECURITY
Date Created 2017-09-10 18:18:35
Date Last Modified 2017-09-11 12:21:46

Version Specific Information:

Cucumber 1.0 i686 fixed in perl-5.22.4-i686-1 (we think)
Cucumber 1.0 x86_64 fixed in perl-5.22.4-x86_64-1 (we think)

Details:

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff,
(3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan,
(5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs,
(7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv,
(9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump,
(11) cpan/ExtUtils-MakeMaker/bin/instmodsh,
(12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp,
(14) cpan/Test-Harness/bin/prove,
(15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp,
(16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html,
(18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL,
(21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL,
(24) utils/perlivp.PL, and (25) utils/splain.PL
in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove
. (period) characters from the end of the includes directory array, which might
allow local users to gain privileges via a Trojan horse module under the current
working directory (https://nvd.nist.gov/vuln/detail/CVE-2016-1238).

The Perl developers don't feel like making an official disclosure for this
vulnerability, so primary sources of information are unofficial third parties.
Seriously, the only acknowledgement found from any official Perl source is a
bugzilla page (https://rt.perl.org/Public/Bug/Display.html?id=127834) that
mentions the CVE id (CVE-2016-1238) only briefly in the comments section and
doesn't even state what release it was fixed in.

Here are some useful third party sources:

 * Red Hat does a decent job of explaining how the vulnerability works at
   https://bugzilla.redhat.com/show_bug.cgi?id=1355695.
 * SecurityTracker.com, NVD and the Gentoo security team claim this has been
   fixed in Perl 5.22.3-RC2 (http://www.securitytracker.com/id/1036440;
   https://security.gentoo.org/glsa/201701-75).
 * NVD claims that this was fixed in Perl commit
   cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab, which can be viewed at
   https://perl5.git.perl.org/perl.git/commit/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab.
   The commit details of seem to support this (of course there's still no
   mention of the CVE ID though). This commit has been applied in the 5.22.4
   release of Perl, so if this infromation is correct, this vulnerability can
   be fixed by upgrading to Perl 5.22.4.

In conclusion, we are pretty confident that this has been fixed in Perl 5.22.4.
Unfortunately due to the lack of any official information, a full disclosure and
any testing code we can not be 100% sure of this.