Debian has issued an advisory today (March 1): https://lists.debian.org/debian-security-announce/2016/msg00072.html The DSA will be posted here: https://www.debian.org/security/2016/dsa-3501 Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Hi all, (In reply to David Walser from comment #0) > Debian has issued an advisory today (March 1): > https://lists.debian.org/debian-security-announce/2016/msg00072.html > > The DSA will be posted here: > https://www.debian.org/security/2016/dsa-3501 > > Mageia 5 is also affected. my link foo is failing me - where can I find the patches for that? I need one for perl-5.22.1 and one for perl-5.20.1.
CC: (none) => shlomif
(In reply to Shlomi Fish from comment #1) > Hi all, > > (In reply to David Walser from comment #0) > > Debian has issued an advisory today (March 1): > > https://lists.debian.org/debian-security-announce/2016/msg00072.html > > > > The DSA will be posted here: > > https://www.debian.org/security/2016/dsa-3501 > > > > Mageia 5 is also affected. > > my link foo is failing me - where can I find the patches for that? I need > one for perl-5.22.1 and one for perl-5.20.1. Hi, I eventually found the relevant commits in the perl 5 core repository in the maint-* branches. This should be fixed in perl-5.22.1-3.mga6 on Cauldron and in perl-5.20.1-8.2.mga5 on mga v5 core/updates_testing. Now how to assign to QA?
Version: Cauldron => 5Assignee: jquelin => bugsquadWhiteboard: MGA5TOO => (none)
Assigning to QA. I don't know where there's a test procedure - it's not here - http://web.archive.org/web/*/https://wiki.mageia.org/en/QA_procedure:Perl .
Assignee: bugsquad => qa-bugs
I can't find a PoC. There often is with perl cve's. Perl is used in all our tools so general use of MCC etc will be enough.
Could you list srpms/rpms please Shlomi so we know what to test. Thanks.
I made a PoC myself :D I'll post it and an advisory shortly.
Thanks Shlomi! I guess you missed my reply to you on the qa-discuss list, I gave you a link to Ubuntu's CVE page which has links to the upstream commit: http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2381.html Also, you can find links there to the source page for Ubuntu's updated package, so that you can download the patches from their package. In general, you can also find this for Debian or Ubuntu like this: http://packages.debian.org/src:perl http://packages.ubuntu.com/source/perl
Advisory: ======================== Updated perl packages fix security vulnerability: Stephane Chazelas discovered a bug in the environment handling in Perl. Perl provides a Perl-space hash variable, %ENV, in which environment variables can be looked up. If a variable appears twice in envp, only the last value would appear in %ENV, but getenv would return the first. Perl's taint security mechanism would be applied to the value in %ENV, but not to the other rest of the environment. This could result in an ambiguous environment causing environment variables to be propagated to subprocesses, despite the protections supposedly offered by taint checking (CVE-206-2381). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381 https://www.debian.org/security/2016/dsa-3501 ======================== Updated packages in core/updates_testing: ======================== perl-5.20.1-8.2.mga5 perl-base-5.20.1-8.2.mga5 perl-devel-5.20.1-8.2.mga5 perl-doc-5.20.1-8.2.mga5 from perl-5.20.1-8.2.mga5.src.rpm
Here's my PoC. $ cat foo.pl #!/usr/bin/env perl $ENV{'foo'}=3; system("sh -c 'echo \$foo'"); $ cat foo.c int main() { char *argv[] = { "perl", "foo.pl", 0 }; char *envp[] = { "foo=1", "foo=2", 0 }; execvpe("perl", argv, envp); } $ gcc foo.c $ ./a.out 2 # install the updated perl packages $ ./a.out 3
Whiteboard: (none) => has_procedure MGA5-32-OK
Thanks , David and Claire!
Testing complete mga5 64 using David's v.good testcase in comment 9 Before ------ $ gcc foo.c $ ./a.out 2 After ----- $ ./a.out 3 No regression noticed in MCC or everything else. Validating.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK mga5-64-okCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA5-32-OK mga5-64-ok => has_procedure advisory MGA5-32-OK mga5-64-ok
corrected cve typo too.
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0099.html
Status: NEW => RESOLVEDResolution: (none) => FIXED