CVE-2016-1238

Published: 25 July 2016

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

From the Ubuntu security team

It was discovered that several perl modules improperly handle . (period) characters at the end of the includes directory array. A local attacker could possibly use this to perform a Trojan Horse module attack.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
libsys-syslog-perl
Launchpad, Ubuntu, Debian
Upstream
Released (0.33-1+deb8u1)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [0.33-1+deb8u1build0.14.04.1])
perl
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(5.24.1-2ubuntu1)
Ubuntu 16.04 LTS (Xenial Xerus) Ignored

Ubuntu 14.04 ESM (Trusty Tahr) Ignored

Notes

AuthorNote
mdeslaur
the fix for this issue changes default behaviour and will
possibly break existing installations and scripts. Furthermore,
other packages in the archive need to be changed to work with
the new behaviour, see the Debian advisory for more info:
https://www.debian.org/security/2016/dsa-3628

Due to the change in behaviour, we will not be fixing this issue
in perl in Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04
LTS.

References

Bugs