Your submission was sent successfully! Close

CVE-2016-1238

Published: 25 July 2016

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

From the Ubuntu security team

It was discovered that several perl modules improperly handle . (period) characters at the end of the includes directory array. A local attacker could possibly use this to perform a Trojan Horse module attack.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
libsys-syslog-perl
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

precise Does not exist
(precise was released [0.29-1+deb7u1build0.12.04.1])
trusty Does not exist
(trusty was released [0.33-1+deb8u1build0.14.04.1])
upstream
Released (0.33-1+deb8u1)
wily Ignored
(reached end-of-life)
xenial Does not exist

yakkety Does not exist

zesty Does not exist

perl
Launchpad, Ubuntu, Debian
artful Not vulnerable
(5.24.1-2ubuntu1)
bionic Not vulnerable
(5.24.1-2ubuntu1)
cosmic Not vulnerable
(5.24.1-2ubuntu1)
precise Ignored

trusty Ignored

upstream Needs triage

wily Ignored
(reached end-of-life)
xenial Ignored

yakkety Not vulnerable
(5.22.2-3)
zesty Not vulnerable
(5.24.1-2ubuntu1)

Notes

AuthorNote
mdeslaur
the fix for this issue changes default behaviour and will
possibly break existing installations and scripts. Furthermore,
other packages in the archive need to be changed to work with
the new behaviour, see the Debian advisory for more info:
https://www.debian.org/security/2016/dsa-3628

Due to the change in behaviour, we will not be fixing this issue
in perl in Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04
LTS.

References

Bugs