Your submission was sent successfully! Close


Published: 25 July 2016

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

From the Ubuntu security team

It was discovered that several perl modules improperly handle . (period) characters at the end of the includes directory array. A local attacker could possibly use this to perform a Trojan Horse module attack.



CVSS 3 base score: 7.8


Package Release Status
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

precise Does not exist
(precise was released [0.29-1+deb7u1build0.12.04.1])
trusty Does not exist
(trusty was released [0.33-1+deb8u1build0.14.04.1])
Released (0.33-1+deb8u1)
wily Ignored
(reached end-of-life)
xenial Does not exist

yakkety Does not exist

zesty Does not exist

Launchpad, Ubuntu, Debian
artful Not vulnerable
bionic Not vulnerable
cosmic Not vulnerable
precise Ignored

trusty Ignored

upstream Needs triage

wily Ignored
(reached end-of-life)
xenial Ignored

yakkety Not vulnerable
zesty Not vulnerable


the fix for this issue changes default behaviour and will
possibly break existing installations and scripts. Furthermore,
other packages in the archive need to be changed to work with
the new behaviour, see the Debian advisory for more info:

Due to the change in behaviour, we will not be fixing this issue
in perl in Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04