Bug 17861 - perl new security issue CVE-2016-2381
Summary: perl new security issue CVE-2016-2381
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/678148/
Whiteboard: has_procedure advisory MGA5-32-OK mga...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-03-01 19:44 CET by David Walser
Modified: 2016-03-07 19:04 CET (History)
2 users (show)

See Also:
Source RPM: perl-5.22.1-2.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-03-01 19:44:15 CET 
Debian has issued an advisory today (March 1):
https://lists.debian.org/debian-security-announce/2016/msg00072.html

The DSA will be posted here:
https://www.debian.org/security/2016/dsa-3501

Mageia 5 is also affected.
David Walser 2016-03-01 19:44:22 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Shlomi Fish 2016-03-04 11:27:28 CET 
Hi all,

(In reply to David Walser from comment #0)
> Debian has issued an advisory today (March 1):
> https://lists.debian.org/debian-security-announce/2016/msg00072.html
> 
> The DSA will be posted here:
> https://www.debian.org/security/2016/dsa-3501
> 
> Mageia 5 is also affected.

my link foo is failing me - where can I find the patches for that? I need one for perl-5.22.1 and one for perl-5.20.1.

CC: (none) => shlomif

Comment 2 Shlomi Fish 2016-03-04 16:13:20 CET 
(In reply to Shlomi Fish from comment #1)
> Hi all,
> 
> (In reply to David Walser from comment #0)
> > Debian has issued an advisory today (March 1):
> > https://lists.debian.org/debian-security-announce/2016/msg00072.html
> > 
> > The DSA will be posted here:
> > https://www.debian.org/security/2016/dsa-3501
> > 
> > Mageia 5 is also affected.
> 
> my link foo is failing me - where can I find the patches for that? I need
> one for perl-5.22.1 and one for perl-5.20.1.

Hi, I eventually found the relevant commits in the perl 5 core repository in the maint-* branches. This should be fixed in perl-5.22.1-3.mga6 on Cauldron and in perl-5.20.1-8.2.mga5 on mga v5 core/updates_testing. Now how to assign to QA?

Version: Cauldron => 5
Assignee: jquelin => bugsquad
Whiteboard: MGA5TOO => (none)

Comment 3 Shlomi Fish 2016-03-04 17:18:15 CET 
Assigning to QA. I don't know where there's a test procedure - it's not here - http://web.archive.org/web/*/https://wiki.mageia.org/en/QA_procedure:Perl .

Assignee: bugsquad => qa-bugs

Comment 4 claire robinson 2016-03-04 18:03:51 CET 
I can't find a PoC. There often is with perl cve's. 

Perl is used in all our tools so general use of MCC etc will be enough.
Comment 5 claire robinson 2016-03-04 18:04:34 CET 
Could you list srpms/rpms please Shlomi so we know what to test. Thanks.
Comment 6 David Walser 2016-03-04 18:12:31 CET 
I made a PoC myself :D  I'll post it and an advisory shortly.
Comment 7 David Walser 2016-03-04 18:17:12 CET 
Thanks Shlomi!

I guess you missed my reply to you on the qa-discuss list, I gave you a link to Ubuntu's CVE page which has links to the upstream commit:
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2381.html

Also, you can find links there to the source page for Ubuntu's updated package, so that you can download the patches from their package.  In general, you can also find this for Debian or Ubuntu like this:
http://packages.debian.org/src:perl
http://packages.ubuntu.com/source/perl
Comment 8 David Walser 2016-03-04 18:17:25 CET 
Advisory:
========================

Updated perl packages fix security vulnerability:

Stephane Chazelas discovered a bug in the environment handling in Perl. Perl
provides a Perl-space hash variable, %ENV, in which environment variables can
be looked up. If a variable appears twice in envp, only the last value would
appear in %ENV, but getenv would return the first. Perl's taint security
mechanism would be applied to the value in %ENV, but not to the other rest of
the environment. This could result in an ambiguous environment causing
environment variables to be propagated to subprocesses, despite the
protections supposedly offered by taint checking (CVE-206-2381).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
https://www.debian.org/security/2016/dsa-3501
========================

Updated packages in core/updates_testing:
========================
perl-5.20.1-8.2.mga5
perl-base-5.20.1-8.2.mga5
perl-devel-5.20.1-8.2.mga5
perl-doc-5.20.1-8.2.mga5

from perl-5.20.1-8.2.mga5.src.rpm
Comment 9 David Walser 2016-03-04 18:19:43 CET 
Here's my PoC.

$ cat foo.pl
#!/usr/bin/env perl

$ENV{'foo'}=3;

system("sh -c 'echo \$foo'");

$ cat foo.c
int main() {
  char *argv[] = { "perl", "foo.pl", 0 };
  char *envp[] = { "foo=1", "foo=2", 0 };
  execvpe("perl", argv, envp);
}

$ gcc foo.c
$ ./a.out
2
# install the updated perl packages
$ ./a.out
3

Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 10 Shlomi Fish 2016-03-04 18:24:51 CET 
Thanks , David and Claire!
Comment 11 claire robinson 2016-03-07 14:11:39 CET 
Testing complete mga5 64 using David's v.good testcase in comment 9

Before
------
$ gcc foo.c
$ ./a.out 
2

After
-----
$ ./a.out 
3

No regression noticed in MCC or everything else.

Validating.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK mga5-64-ok
CC: (none) => sysadmin-bugs

Comment 12 claire robinson 2016-03-07 14:14:57 CET 
Advisory uploaded.

Whiteboard: has_procedure MGA5-32-OK mga5-64-ok => has_procedure advisory MGA5-32-OK mga5-64-ok

Comment 13 claire robinson 2016-03-07 14:15:52 CET 
corrected cve typo too.
Comment 14 Mageia Robot 2016-03-07 19:04:25 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0099.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.