Bug 18894

Summary: perl, perl-XSLoader new security issue CVE-2016-6185
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/694785/
Whiteboard: advisory MGA5-32-OK
Source RPM: perl-5.20.1-8.3.mga5.src.rpm, perl-XSLoader-0.160.0-7.mga5.src.rpm CVE:
Status comment:
Attachments: Inconclusive attempt to exercise a PoC
Inconclusive attempt to run a PoC
Attempt to run a PoC

Description David Walser 2016-07-08 16:21:17 CEST 
A CVE has been assigned for a security issue fixed upstream in perl-XSLoader:
http://openwall.com/lists/oss-security/2016/07/08/5

XSLoader is also bundled in perl itself, so both need to be patched.

I uploaded patched packages for Cauldron yesterday and checked the patches into Mageia 5 SVN.  All that needs done now is pushing the builds and writing the advisory.
Comment 1 David Walser 2016-07-19 16:35:12 CEST 
Fedora has issued an advisory for this on July 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5RFDMASVZLFZYBB2GNTZXU6I76E4NA4V/

URL: (none) => http://lwn.net/Vulnerabilities/694785/

Comment 3 David Walser 2016-07-20 15:01:42 CEST 
Patched packages uploaded for Mageia 5.

Advisory:
========================

Updated perl-XSLoader and perl packages fix security vulnerability:

An arbitrary code execution can be achieved if loading code from untrusted
current working directory despite the '.' is removed from @INC. Vulnerability
is in XSLoader that uses caller() information to locate .so file to load. If
malicious attacker creates directory named `(eval 1)` with malicious binary
file in it, it will be loaded if the package calling XSLoader is in parent
directory (CVE-2016-6185).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6185
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ITYZJXQH24X2F2LAOQEQAC5KXLYJTJ76/
========================

Updated packages in core/updates_testing:
========================
perl-XSLoader-0.160.0-7.1.mga5
perl-5.20.1-8.4.mga5
perl-base-5.20.1-8.4.mga5
perl-devel-5.20.1-8.4.mga5
perl-doc-5.20.1-8.4.mga5

from SRPMS:
perl-XSLoader-0.160.0-7.1.mga5.src.rpm
perl-5.20.1-8.4.mga5.src.rpm

Assignee: jquelin => qa-bugs

Comment 4 David Walser 2016-07-24 00:01:49 CEST 
The patches added a test to the test suite, which is run for both packages, so an install/upgrade test should be sufficient.
Comment 5 Len Lawrence 2016-08-12 20:06:11 CEST 
Testing on x86_64

Found a link to a PoC in CVE-2016-6185 and attempted to use it but found it difficult to understand so cannot draw any conclusions from it.  See attached report.

Installed perl-XSLoader, tried the PoC and updated the packages.  Ran the PoC again.
No conclusions.  Cannot tell if the updated XSLoader is ignoring relative paths.

However, clean install, and according to David that runs a self-test.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2016-08-12 20:08:20 CEST 
Created attachment 8339 [details]
Inconclusive attempt to exercise a PoC
Comment 7 Len Lawrence 2016-08-12 20:11:04 CEST 
Created attachment 8340 [details]
Inconclusive attempt to run a PoC

Attachment 8339 is obsolete: 0 => 1

Comment 8 Len Lawrence 2016-08-12 20:15:03 CEST 
Created attachment 8341 [details]
Attempt to run a PoC

Attachment 8340 is obsolete: 0 => 1

Comment 9 Dave Hodgins 2016-09-07 04:01:20 CEST 
Validating based on the self test passing.

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 10 Mageia Robot 2016-09-16 11:27:59 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0299.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 11 David Walser 2016-09-28 18:06:05 CEST 
The perl package was not pushed because it was not listed in the advisory in SVN.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 12 David Walser 2016-09-28 20:24:50 CEST 
perl package was just pushed by Nicolas.  Thanks!

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED