CLD-16 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
perl |
Deficiency Type |
SECURITY |
Date Created |
2017-09-10 18:18:35 |
Date Last Modified |
2017-09-11 12:21:46 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in perl-5.22.4-i686-1 (we think) |
Cucumber 1.0 x86_64 | fixed in perl-5.22.4-x86_64-1 (we think) |
Cucumber 1.1 i686 |
fixed in perl-5.22.4-i686-1 (we think) |
Cucumber 1.1 x86_64 |
fixed in perl-5.22.4-x86_64-1 (we think) |
Details:
(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff,
(3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan,
(5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs,
(7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv,
(9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump,
(11) cpan/ExtUtils-MakeMaker/bin/instmodsh,
(12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp,
(14) cpan/Test-Harness/bin/prove,
(15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp,
(16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html,
(18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL,
(21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL,
(24) utils/perlivp.PL, and (25) utils/splain.PL
in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove
. (period) characters from the end of the includes directory array, which might
allow local users to gain privileges via a Trojan horse module under the current
working directory (https://nvd.nist.gov/vuln/detail/CVE-2016-1238).
The Perl developers don't feel like making an official disclosure for this
vulnerability, so primary sources of information are unofficial third parties.
Seriously, the only acknowledgement found from any official Perl source is a
bugzilla page (https://rt.perl.org/Public/Bug/Display.html?id=127834) that
mentions the CVE id (CVE-2016-1238) only briefly in the comments section and
doesn't even state what release it was fixed in.
Here are some useful third party sources:
* Red Hat does a decent job of explaining how the vulnerability works at
https://bugzilla.redhat.com/show_bug.cgi?id=1355695.
* SecurityTracker.com, NVD and the Gentoo security team claim this has been
fixed in Perl 5.22.3-RC2 (http://www.securitytracker.com/id/1036440;
https://security.gentoo.org/glsa/201701-75).
* NVD claims that this was fixed in Perl commit
cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab, which can be viewed at
https://perl5.git.perl.org/perl.git/commit/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab.
The commit details of seem to support this (of course there's still no
mention of the CVE ID though). This commit has been applied in the 5.22.4
release of Perl, so if this infromation is correct, this vulnerability can
be fixed by upgrading to Perl 5.22.4.
In conclusion, we are pretty confident that this has been fixed in Perl 5.22.4.
Unfortunately due to the lack of any official information, a full disclosure and
any testing code we can not be 100% sure of this.