A CVE has been assigned for a security issue fixed upstream in perl-XSLoader: http://openwall.com/lists/oss-security/2016/07/08/5 XSLoader is also bundled in perl itself, so both need to be patched. I uploaded patched packages for Cauldron yesterday and checked the patches into Mageia 5 SVN. All that needs done now is pushing the builds and writing the advisory.
Fedora has issued an advisory for this on July 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5RFDMASVZLFZYBB2GNTZXU6I76E4NA4V/
URL: (none) => http://lwn.net/Vulnerabilities/694785/
Fedora 24 advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ITYZJXQH24X2F2LAOQEQAC5KXLYJTJ76/
Patched packages uploaded for Mageia 5. Advisory: ======================== Updated perl-XSLoader and perl packages fix security vulnerability: An arbitrary code execution can be achieved if loading code from untrusted current working directory despite the '.' is removed from @INC. Vulnerability is in XSLoader that uses caller() information to locate .so file to load. If malicious attacker creates directory named `(eval 1)` with malicious binary file in it, it will be loaded if the package calling XSLoader is in parent directory (CVE-2016-6185). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6185 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ITYZJXQH24X2F2LAOQEQAC5KXLYJTJ76/ ======================== Updated packages in core/updates_testing: ======================== perl-XSLoader-0.160.0-7.1.mga5 perl-5.20.1-8.4.mga5 perl-base-5.20.1-8.4.mga5 perl-devel-5.20.1-8.4.mga5 perl-doc-5.20.1-8.4.mga5 from SRPMS: perl-XSLoader-0.160.0-7.1.mga5.src.rpm perl-5.20.1-8.4.mga5.src.rpm
Assignee: jquelin => qa-bugs
The patches added a test to the test suite, which is run for both packages, so an install/upgrade test should be sufficient.
Testing on x86_64 Found a link to a PoC in CVE-2016-6185 and attempted to use it but found it difficult to understand so cannot draw any conclusions from it. See attached report. Installed perl-XSLoader, tried the PoC and updated the packages. Ran the PoC again. No conclusions. Cannot tell if the updated XSLoader is ignoring relative paths. However, clean install, and according to David that runs a self-test.
CC: (none) => tarazed25
Created attachment 8339 [details] Inconclusive attempt to exercise a PoC
Created attachment 8340 [details] Inconclusive attempt to run a PoC
Attachment 8339 is obsolete: 0 => 1
Created attachment 8341 [details] Attempt to run a PoC
Attachment 8340 is obsolete: 0 => 1
Validating based on the self test passing.
Keywords: (none) => validated_updateWhiteboard: (none) => advisory MGA5-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0299.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
The perl package was not pushed because it was not listed in the advisory in SVN.
Status: RESOLVED => REOPENEDResolution: FIXED => (none)
perl package was just pushed by Nicolas. Thanks!
Status: REOPENED => RESOLVEDResolution: (none) => FIXED