http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7

DSA-3628

[oss-security] 20160707 CVE Request: perl: XSLoader: could load shared library from incorrect location

[oss-security] 20160708 Re: CVE Request: perl: XSLoader: could load shared library from incorrect location

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

91685

1036260

FEDORA-2016-742bde2be7

FEDORA-2016-485dff6060

FEDORA-2016-eb2592245b

https://rt.cpan.org/Public/Bug/Display.html?id=115808

GLSA-201701-75

USN-3625-1

USN-3625-2

According to the versions of the perl packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - The XSLoader::load method in XSLoader in Perl does not     properly locate .so files when called in a string eval,     which might allow local users to execute arbitrary code     via a Trojan horse library under the current working     directory.(CVE-2016-6185)

  - The Dumper method in Data::Dumper before 2.154, as used     in Perl 5.20.1 and earlier, allows context-dependent     attackers to cause a denial of service (stack     consumption and crash) via an Array-Reference with many     nested Array-References, which triggers a large number     of recursive calls to the DD_dump     function.(CVE-2014-4330)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the perl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Integer underflow in regcomp.c in Perl before 5.20, as     used in Apple OS X before 10.10.5 and other products,     allows context-dependent attackers to execute arbitrary     code or cause a denial of service (application crash)     via a long digit string associated with an invalid     backreference within a regular     expression.(CVE-2013-7422)

  - 1) cpan/Archive-Tar/bin/ptar, (2)     cpan/Archive-Tar/bin/ptardiff, (3)     cpan/Archive-Tar/bin/ptargrep, (4)     cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6)     cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess,     (8) cpan/Encode/bin/piconv, (9)     cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump,     (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12)     cpan/IO-Compress/bin/zipdetails, (13)     cpan/JSON-PP/bin/json_pp, (14)     cpan/Test-Harness/bin/prove, (15)     dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16)     dist/Module-CoreList/corelist, (17)     ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19)     utils/h2ph.PL, (20) utils/h2xs.PL, (21)     utils/libnetcfg.PL, (22) utils/perlbug.PL, (23)     utils/perldoc.PL, (24) utils/perlivp.PL, and (25)     utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24     before 5.24.1-RC2 do not properly remove . (period)     characters from the end of the includes directory     array, which might allow local users to gain privileges     via a Trojan horse module under the current working     directory.(CVE-2016-1238)

  - The XSLoader::load method in XSLoader in Perl does not     properly locate .so files when called in a string eval,     which might allow local users to execute arbitrary code     via a Trojan horse library under the current working     directory.(CVE-2016-6185)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the perl packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - The XSLoader::load method in XSLoader in Perl does not     properly locate .so files when called in a string eval,     which might allow local users to execute arbitrary code     via a Trojan horse library under the current working     directory.(CVE-2016-6185)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the perl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The (1) S_reghop3, (2) S_reghop4, and (3)     S_reghopmaybe3 functions in regexec.c in Perl before     5.24.0 allow context-dependent attackers to cause a     denial of service (infinite loop) via crafted utf-8     data, as demonstrated by 'a\x80.'(CVE-2015-8853)

  - The XSLoader::load method in XSLoader in Perl does not     properly locate .so files when called in a string eval,     which might allow local users to execute arbitrary code     via a Trojan horse library under the current working     directory.(CVE-2016-6185)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that Perl incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause Perl to hang, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-8853)

It was discovered that Perl incorrectly loaded libraries from the current working directory. A local attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6185)

It was discovered that Perl incorrectly handled the rmtree and remove_tree functions. A local attacker could possibly use this issue to set the mode on arbitrary files. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-6512)

Brian Carpenter discovered that Perl incorrectly handled certain regular expressions. An attacker could use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue has only been addressed in Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-6797)

Nguyen Duc Manh discovered that Perl incorrectly handled certain regular expressions. An attacker could use this issue to cause Perl to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-6798)

GwanYeong Kim discovered that Perl incorrectly handled certain data when using the pack function. An attacker could use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-6913).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201701-75 (Perl: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Perl. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, cause a Denial of Service condition, or       escalate privileges.
  Workaround :

    There is no known workaround at this time.

This update for Perl fixes the following issues :

  - CVE-2016-6185: Xsloader looking at a '(eval)' directory.
    (bsc#988311)

  - CVE-2016-1238: Searching current directory for optional     modules. (bsc#987887)

  - CVE-2015-8853: Regular expression engine hanging on bad     utf8. (bsc)

  - CVE-2016-2381: Environment dup handling bug.
    (bsc#967082)

  - 'Insecure dependency in require' error in taint mode.
    (bsc#984906)

  - Memory leak in 'use utf8' handling. (bsc#928292)

  - Missing lock prototype to the debugger. (bsc#932894)

This update was imported from the SUSE:SLE-12:Update update project.

This update for Perl fixes the following issues :

  - CVE-2016-6185: Xsloader looking at a '(eval)' directory.
    (bsc#988311)

  - CVE-2016-1238: Searching current directory for optional     modules. (bsc#987887)

  - CVE-2015-8853: Regular expression engine hanging on bad     utf8. (bsc)

  - CVE-2016-2381: Environment dup handling bug.
    (bsc#967082)

  - 'Insecure dependency in require' error in taint mode.
    (bsc#984906)

  - Memory leak in 'use utf8' handling. (bsc#928292)

  - Missing lock prototype to the debugger. (bsc#932894)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for perl fixes the following issues :

  - CVE-2016-6185: xsloader looking at a '(eval)' directory     [bsc#988311]

  - CVE-2016-1238: searching current directory for optional     modules [bsc#987887]

  - CVE-2015-8853: regex engine hanging on bad utf8     [bnc976584]

  - CVE-2016-2381: environment dup handling bug [bsc#967082]

  - perl panic with utf8_mg_pos_cache_update [bsc#929027]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jakub Wilk reports :

XSLoader tries to load code from a subdirectory in the cwd when called inside a string eval

Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems :

CVE-2016-1238

John Lightsey and Todd Rinaldo reported that the opportunistic loading of optional modules can make many programs unintentionally load code from the current working directory (which might be changed to another directory without the user realising) and potentially leading to privilege escalation, as demonstrated in Debian with certain combinations of installed packages.

The problem relates to Perl loading modules from the includes directory array ('@INC') in which the last element is the current directory ('.'). That means that, when 'perl' wants to load a module (during first compilation or during lazy loading of a module in run- time), perl will look for the module in the current directory at the end, since '.' is the last include directory in its array of include directories to seek. The issue is with requiring libraries that are in '.' but are not otherwise installed.

With this update several modules which are known to be vulnerable are updated to not load modules from current directory.

Additionally the update allows configurable removal of '.' from @INC in /etc/perl/sitecustomize.pl for a transitional period. It is recommended to enable this setting if the possible breakage for a specific site has been evaluated.
Problems in packages provided in Debian resulting from the switch to the removal of '.' from @INC should be reported to the Perl maintainers at perl@packages.debian.org .

CVE-2016-6185

It was discovered that XSLoader, a core module from Perl to dynamically load C libraries into Perl code, could load shared library from incorrect location. XSLoader uses caller() information to locate the .so file to load. This can be incorrect if XSLoader::load() is called in a string eval. An attacker can take advantage of this flaw to execute arbitrary code.

For Debian 7 'Wheezy', these problems have been fixed in version 5.14.2-21+deb7u4.

We recommend that you upgrade your perl packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities were discovered in the implementation of the Perl programming language. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2016-1238     John Lightsey and Todd Rinaldo reported that the     opportunistic loading of optional modules can make many     programs unintentionally load code from the current     working directory (which might be changed to another     directory without the user realising) and potentially     leading to privilege escalation, as demonstrated in     Debian with certain combinations of installed packages.

  The problem relates to Perl loading modules from the includes   directory array ('@INC') in which the last element is the current   directory ('.'). That means that, when 'perl' wants to load a module   (during first compilation or during lazy loading of a module in run   time), perl will look for the module in the current directory at the   end, since '.' is the last include directory in its array of include   directories to seek. The issue is with requiring libraries that are   in '.' but are not otherwise installed.

  With this update several modules which are known to be vulnerable   are updated to not load modules from current directory.

  Additionally the update allows configurable removal of '.' from @INC   in /etc/perl/sitecustomize.pl for a transitional period. It is   recommended to enable this setting if the possible breakage for a   specific site has been evaluated. Problems in packages provided in   Debian resulting from the switch to the removal of '.' from @INC   should be reported to the Perl maintainers at   perl@packages.debian.org .

  It is planned to switch to the default removal of '.' in @INC in a   subsequent update to perl via a point release if possible, and in   any case for the upcoming stable release Debian 9 (stretch).

  - CVE-2016-6185     It was discovered that XSLoader, a core module from Perl     to dynamically load C libraries into Perl code, could     load shared library from incorrect location. XSLoader     uses caller() information to locate the .so file to     load. This can be incorrect if XSLoader::load() is     called in a string eval. An attacker can take advantage     of this flaw to execute arbitrary code.

This fixes CVE-2016-6185 vulnerability (do not let XSLoader load relative paths).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
136230	EulerOS Virtualization for ARM 64 3.0.2.0 : perl (EulerOS-SA-2020-1527)	Nessus	Huawei Local Security Checks	medium
135638	EulerOS Virtualization 3.0.2.2 : perl (EulerOS-SA-2020-1476)	Nessus	Huawei Local Security Checks	high
133923	EulerOS 2.0 SP5 : perl (EulerOS-SA-2020-1122)	Nessus	Huawei Local Security Checks	medium
129228	EulerOS 2.0 SP3 : perl (EulerOS-SA-2019-2035)	Nessus	Huawei Local Security Checks	medium
109086	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : Perl vulnerabilities (USN-3625-1)	Nessus	Ubuntu Local Security Checks	high
96861	GLSA-201701-75 : Perl: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
93583	openSUSE Security Update : perl (openSUSE-2016-1086)	Nessus	SuSE Local Security Checks	high
93437	SUSE SLED12 / SLES12 Security Update : perl (SUSE-SU-2016:2263-1)	Nessus	SuSE Local Security Checks	high
93371	SUSE SLES11 Security Update : perl (SUSE-SU-2016:2246-1)	Nessus	SuSE Local Security Checks	high
92739	FreeBSD : p5-XSLoader -- local arbitrary code execution (3e08047f-5a6c-11e6-a6c3-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	medium
92613	Debian DLA-565-1 : perl security update	Nessus	Debian Local Security Checks	high
92548	Debian DSA-3628-1 : perl - security update	Nessus	Debian Local Security Checks	high
92388	Fedora 23 : 4:perl (2016-742bde2be7)	Nessus	Fedora Local Security Checks	medium
92386	Fedora 24 : 4:perl (2016-485dff6060)	Nessus	Fedora Local Security Checks	medium
92335	Fedora 22 : 4:perl (2016-eb2592245b)	Nessus	Fedora Local Security Checks	medium

CVE-2016-6185

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Tenable Plugins

medium

high

medium

medium

high

high

high

high

high

medium

high

high

medium

medium

medium