CLD-153 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-6512 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) perl
Deficiency Type SECURITY
Date Created 2017-11-24 14:56:53
Date Last Modified 2017-11-27 10:40:48

Version Specific Information:

Cucumber 1.0 i686fixed in perl-5.22.4-i686-4
Cucumber 1.0 x86_64fixed in perl-5.22.4-x86_64-4

Cucumber 1.1 i686 fixed in perl-5.26.1-i686-2
Cucumber 1.1 x86_64 fixed in perl-5.26.1-x86_64-2


CVE-2017-6512 (A.K.A CLD-153) is a race condition in the File-Path CPAN module
that allowed attackers to set the mode (permission bits) on arbitrary files.
For more information see:

Fixed by applying modified versions of the patch from here:

This patch has not been applied in the official versions of Perl 5.22.4 or
Perl 5.26.1, meaning Cucumber Linux 1.0 and 1.1 were both vulnerable to this
vulnerability. We have now manually applied modified versions this patch to
Cucumber Linux 1.0 and 1.1 (as of Sat Nov 25 12:28:05 EST 2017).

Here are the patches we applied:
	Cucumber Linux 1.0:
	Cucumber Linux 1.1:

Note that the Perl 5.22.4 (Cucumber Linux 1.0) patch causes the File-Path test
suite to report a failure. However; it fails because it expected 128 tests, but
ran 129 (the patch increases the test count, in line with how it was done in the
upstream patch). All of the 128 tests it does run pass though; it fails only
because of the additional test (which didn't survive the backporting process
entirely intact). Therefore, all the tests that actually apply to this version
of Perl pass. This reported "failure" is not actually a cause for concern and
can be safely ignored.

The original commit fixing this vulnerability can be found here: