Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 Jul 2016 13:49:24 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: perl5-porters@...l.org
Subject: CVE Request: perl: XSLoader: could load shared library from
 incorrect location

Hi,

Jakub Wilk reported in [1] that the Perl module List::MoreUtils tried
to load code from a subdirectory of the current working directory
despite explicitly removing the current directory from @INC, which
could lead to the execution of arbitrary code if cwd is unstrusted, as
demonstrated in the bugreport.

While analyzing the issue[2], it turns out that the issue is actually in
XSLoader, which uses caller() information to locate the .so file to
load. This can be incorrect if XSLoader::load() is called in a string
eval. The fix commited upstream is [3].

@MITRE: Could you please assign a CVE for this issue in XSLoader? Do
you think List::MoreUtils needs a separate CVE as well, despite the
underlying issue lying in XSLoader[4]?

Regards,
Salvatore

 [1] https://bugs.debian.org/829138
 [2] https://rt.cpan.org/Ticket/Display.html?id=115808
 [3] http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7
 [4] https://bugs.debian.org/829578

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.