Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri,  8 Jul 2016 10:07:10 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: perl: XSLoader: could load shared library from incorrect location

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Jakub Wilk reported in [1] that the Perl module List::MoreUtils tried
> to load code from a subdirectory of the current working directory
> despite explicitly removing the current directory from @INC, which
> could lead to the execution of arbitrary code if cwd is untrusted, as
> demonstrated in the bugreport.
> 
> While analyzing the issue[2], it turns out that the issue is actually in
> XSLoader, which uses caller() information to locate the .so file to
> load. This can be incorrect if XSLoader::load() is called in a string
> eval. The fix commited upstream is [3].
> 
> @MITRE: Could you please assign a CVE for this issue in XSLoader? Do
> you think List::MoreUtils needs a separate CVE as well, despite the
> underlying issue lying in XSLoader[4]?
> 
>  [1] https://bugs.debian.org/829138
>  [2] https://rt.cpan.org/Ticket/Display.html?id=115808
>  [3] http://perl5.git.perl.org/perl.git/commit/08e3451d7b3b714ad63a27f1b9c2a23ee75d15ee
>  [4] https://bugs.debian.org/829578

Use CVE-2016-6185 for the XSLoader vulnerability.

There is not currently a separate CVE for List::MoreUtils. As far as
we can tell, the "Sun Jul 03 14:20:04 2016" section of 115808 gives
possible reasons for List::MoreUtils to be fixed independently, but
doesn't directly argue that List::MoreUtils was responsible for a
vulnerability on its own. Actually, it might imply the opposite, with
the "Even if List::MoreUtils is not at fault, I think this patch is
helpful" wording.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXf7JGAAoJEHb/MwWLVhi2cTEP/3GVbvUCtrt1qhknJqIsOkBk
hM6MiFHbF2Au0x3BoLT982ivdZmzTHSWgFzJhmEqo59Q3tbfvtsBsrqxmjaDhKoM
6JQHbafMtd9HsgPfn6lzd20nWDc8Z+TW+yPigWT9cnXWJ+GGqGtU4shE/Bd0RWqU
SHuO5TVA4veZdcXyUNlmGxar7NtEbjH2/Yfa10hE3CgRyWSKc8xZBP68/qNKSGnU
E+dP4G1nbB/8KTlDXB7JcWGiqWXI704h0PoAbgTD4v/JizZmz4gZWoKgoeXfukOf
SMES/QmVH8sEUIjgwstuf0VPjzQlJ+yLHDzJspODtCeGNvgcmZCA/O0HY0oQjpLA
W8+EWNhkMS6j641owiNwhgok2xpWe39crqK1EzIBWcZijByTB7SZwDcuvzxq8rhH
st3k10lF+VT26t4e8D6wFSi44xld+Qc2ngIUMAyrGmEp01p3jppnnpAMtpSpKRQ4
hJN19AkiIAyMPIEHbuv19yMvWYnfBu34rW3ZleYsl1ZTqPz8wxTdsbthYfhPz1L7
NauVi4xlVKYqNrD8O4hV0OFolYXzn8o5WKVWaSby+nszL/mELzQCPlog5QUnqmSy
5+Pl5a7Ae8eZCAlsI8iuvDBcFeMHzNojHIJEk0m06riTB3uiDug9X5Cgp7QZ6AbN
T5OSd5vKksMXgbMqIKIi
=NaWX
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.