Date: Fri, 8 Jul 2016 10:07:10 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: perl: XSLoader: could load shared library from incorrect location -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Jakub Wilk reported in  that the Perl module List::MoreUtils tried > to load code from a subdirectory of the current working directory > despite explicitly removing the current directory from @INC, which > could lead to the execution of arbitrary code if cwd is untrusted, as > demonstrated in the bugreport. > > While analyzing the issue, it turns out that the issue is actually in > XSLoader, which uses caller() information to locate the .so file to > load. This can be incorrect if XSLoader::load() is called in a string > eval. The fix commited upstream is . > > @MITRE: Could you please assign a CVE for this issue in XSLoader? Do > you think List::MoreUtils needs a separate CVE as well, despite the > underlying issue lying in XSLoader? > >  https://bugs.debian.org/829138 >  https://rt.cpan.org/Ticket/Display.html?id=115808 >  http://perl5.git.perl.org/perl.git/commit/08e3451d7b3b714ad63a27f1b9c2a23ee75d15ee >  https://bugs.debian.org/829578 Use CVE-2016-6185 for the XSLoader vulnerability. There is not currently a separate CVE for List::MoreUtils. As far as we can tell, the "Sun Jul 03 14:20:04 2016" section of 115808 gives possible reasons for List::MoreUtils to be fixed independently, but doesn't directly argue that List::MoreUtils was responsible for a vulnerability on its own. Actually, it might imply the opposite, with the "Even if List::MoreUtils is not at fault, I think this patch is helpful" wording. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXf7JGAAoJEHb/MwWLVhi2cTEP/3GVbvUCtrt1qhknJqIsOkBk hM6MiFHbF2Au0x3BoLT982ivdZmzTHSWgFzJhmEqo59Q3tbfvtsBsrqxmjaDhKoM 6JQHbafMtd9HsgPfn6lzd20nWDc8Z+TW+yPigWT9cnXWJ+GGqGtU4shE/Bd0RWqU SHuO5TVA4veZdcXyUNlmGxar7NtEbjH2/Yfa10hE3CgRyWSKc8xZBP68/qNKSGnU E+dP4G1nbB/8KTlDXB7JcWGiqWXI704h0PoAbgTD4v/JizZmz4gZWoKgoeXfukOf SMES/QmVH8sEUIjgwstuf0VPjzQlJ+yLHDzJspODtCeGNvgcmZCA/O0HY0oQjpLA W8+EWNhkMS6j641owiNwhgok2xpWe39crqK1EzIBWcZijByTB7SZwDcuvzxq8rhH st3k10lF+VT26t4e8D6wFSi44xld+Qc2ngIUMAyrGmEp01p3jppnnpAMtpSpKRQ4 hJN19AkiIAyMPIEHbuv19yMvWYnfBu34rW3ZleYsl1ZTqPz8wxTdsbthYfhPz1L7 NauVi4xlVKYqNrD8O4hV0OFolYXzn8o5WKVWaSby+nszL/mELzQCPlog5QUnqmSy 5+Pl5a7Ae8eZCAlsI8iuvDBcFeMHzNojHIJEk0m06riTB3uiDug9X5Cgp7QZ6AbN T5OSd5vKksMXgbMqIKIi =NaWX -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.