Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri,  8 Jul 2016 10:07:10 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: perl: XSLoader: could load shared library from incorrect location

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Jakub Wilk reported in [1] that the Perl module List::MoreUtils tried
> to load code from a subdirectory of the current working directory
> despite explicitly removing the current directory from @INC, which
> could lead to the execution of arbitrary code if cwd is untrusted, as
> demonstrated in the bugreport.
> 
> While analyzing the issue[2], it turns out that the issue is actually in
> XSLoader, which uses caller() information to locate the .so file to
> load. This can be incorrect if XSLoader::load() is called in a string
> eval. The fix commited upstream is [3].
> 
> @MITRE: Could you please assign a CVE for this issue in XSLoader? Do
> you think List::MoreUtils needs a separate CVE as well, despite the
> underlying issue lying in XSLoader[4]?
> 
>  [1] https://bugs.debian.org/829138
>  [2] https://rt.cpan.org/Ticket/Display.html?id=115808
>  [3] http://perl5.git.perl.org/perl.git/commit/08e3451d7b3b714ad63a27f1b9c2a23ee75d15ee
>  [4] https://bugs.debian.org/829578

Use CVE-2016-6185 for the XSLoader vulnerability.

There is not currently a separate CVE for List::MoreUtils. As far as
we can tell, the "Sun Jul 03 14:20:04 2016" section of 115808 gives
possible reasons for List::MoreUtils to be fixed independently, but
doesn't directly argue that List::MoreUtils was responsible for a
vulnerability on its own. Actually, it might imply the opposite, with
the "Even if List::MoreUtils is not at fault, I think this patch is
helpful" wording.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXf7JGAAoJEHb/MwWLVhi2cTEP/3GVbvUCtrt1qhknJqIsOkBk
hM6MiFHbF2Au0x3BoLT982ivdZmzTHSWgFzJhmEqo59Q3tbfvtsBsrqxmjaDhKoM
6JQHbafMtd9HsgPfn6lzd20nWDc8Z+TW+yPigWT9cnXWJ+GGqGtU4shE/Bd0RWqU
SHuO5TVA4veZdcXyUNlmGxar7NtEbjH2/Yfa10hE3CgRyWSKc8xZBP68/qNKSGnU
E+dP4G1nbB/8KTlDXB7JcWGiqWXI704h0PoAbgTD4v/JizZmz4gZWoKgoeXfukOf
SMES/QmVH8sEUIjgwstuf0VPjzQlJ+yLHDzJspODtCeGNvgcmZCA/O0HY0oQjpLA
W8+EWNhkMS6j641owiNwhgok2xpWe39crqK1EzIBWcZijByTB7SZwDcuvzxq8rhH
st3k10lF+VT26t4e8D6wFSi44xld+Qc2ngIUMAyrGmEp01p3jppnnpAMtpSpKRQ4
hJN19AkiIAyMPIEHbuv19yMvWYnfBu34rW3ZleYsl1ZTqPz8wxTdsbthYfhPz1L7
NauVi4xlVKYqNrD8O4hV0OFolYXzn8o5WKVWaSby+nszL/mELzQCPlog5QUnqmSy
5+Pl5a7Ae8eZCAlsI8iuvDBcFeMHzNojHIJEk0m06riTB3uiDug9X5Cgp7QZ6AbN
T5OSd5vKksMXgbMqIKIi
=NaWX
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ