Date: Fri, 8 Jul 2016 10:07:10 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: perl: XSLoader: could load shared library from incorrect location -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Jakub Wilk reported in  that the Perl module List::MoreUtils tried > to load code from a subdirectory of the current working directory > despite explicitly removing the current directory from @INC, which > could lead to the execution of arbitrary code if cwd is untrusted, as > demonstrated in the bugreport. > > While analyzing the issue, it turns out that the issue is actually in > XSLoader, which uses caller() information to locate the .so file to > load. This can be incorrect if XSLoader::load() is called in a string > eval. The fix commited upstream is . > > @MITRE: Could you please assign a CVE for this issue in XSLoader? Do > you think List::MoreUtils needs a separate CVE as well, despite the > underlying issue lying in XSLoader? > >  https://bugs.debian.org/829138 >  https://rt.cpan.org/Ticket/Display.html?id=115808 >  http://perl5.git.perl.org/perl.git/commit/08e3451d7b3b714ad63a27f1b9c2a23ee75d15ee >  https://bugs.debian.org/829578 Use CVE-2016-6185 for the XSLoader vulnerability. There is not currently a separate CVE for List::MoreUtils. As far as we can tell, the "Sun Jul 03 14:20:04 2016" section of 115808 gives possible reasons for List::MoreUtils to be fixed independently, but doesn't directly argue that List::MoreUtils was responsible for a vulnerability on its own. Actually, it might imply the opposite, with the "Even if List::MoreUtils is not at fault, I think this patch is helpful" wording. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXf7JGAAoJEHb/MwWLVhi2cTEP/3GVbvUCtrt1qhknJqIsOkBk hM6MiFHbF2Au0x3BoLT982ivdZmzTHSWgFzJhmEqo59Q3tbfvtsBsrqxmjaDhKoM 6JQHbafMtd9HsgPfn6lzd20nWDc8Z+TW+yPigWT9cnXWJ+GGqGtU4shE/Bd0RWqU SHuO5TVA4veZdcXyUNlmGxar7NtEbjH2/Yfa10hE3CgRyWSKc8xZBP68/qNKSGnU E+dP4G1nbB/8KTlDXB7JcWGiqWXI704h0PoAbgTD4v/JizZmz4gZWoKgoeXfukOf SMES/QmVH8sEUIjgwstuf0VPjzQlJ+yLHDzJspODtCeGNvgcmZCA/O0HY0oQjpLA W8+EWNhkMS6j641owiNwhgok2xpWe39crqK1EzIBWcZijByTB7SZwDcuvzxq8rhH st3k10lF+VT26t4e8D6wFSi44xld+Qc2ngIUMAyrGmEp01p3jppnnpAMtpSpKRQ4 hJN19AkiIAyMPIEHbuv19yMvWYnfBu34rW3ZleYsl1ZTqPz8wxTdsbthYfhPz1L7 NauVi4xlVKYqNrD8O4hV0OFolYXzn8o5WKVWaSby+nszL/mELzQCPlog5QUnqmSy 5+Pl5a7Ae8eZCAlsI8iuvDBcFeMHzNojHIJEk0m06riTB3uiDug9X5Cgp7QZ6AbN T5OSd5vKksMXgbMqIKIi =NaWX -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ