CVE-2016-1238
Published: 25 July 2016
(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.
From the Ubuntu Security Team
It was discovered that several perl modules improperly handle . (period) characters at the end of the includes directory array. A local attacker could possibly use this to perform a Trojan Horse module attack.
Notes
Author | Note |
---|---|
mdeslaur | the fix for this issue changes default behaviour and will possibly break existing installations and scripts. Furthermore, other packages in the archive need to be changed to work with the new behaviour, see the Debian advisory for more info: https://www.debian.org/security/2016/dsa-3628 Due to the change in behaviour, we will not be fixing this issue in perl in Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. |
Priority
Status
Package | Release | Status |
---|---|---|
libsys-syslog-perl Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
trusty |
Released
(0.33-1+deb8u1build0.14.04.1)
|
|
upstream |
Released
(0.33-1+deb8u1)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
precise |
Released
(0.29-1+deb7u1build0.12.04.1)
|
|
perl Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(5.24.1-2ubuntu1)
|
bionic |
Not vulnerable
(5.24.1-2ubuntu1)
|
|
cosmic |
Not vulnerable
(5.24.1-2ubuntu1)
|
|
upstream |
Needs triage
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Ignored
|
|
yakkety |
Not vulnerable
(5.22.2-3)
|
|
zesty |
Not vulnerable
(5.24.1-2ubuntu1)
|
|
trusty |
Ignored
|
|
precise |
Ignored
(end of life)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |