perl: CVE-2016-6185: XSLoader tries to load code from '(eval 1)/' when called inside a string eval

Debian Bug report logs - #829578
perl: CVE-2016-6185: XSLoader tries to load code from '(eval 1)/' when called inside a string eval

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: liblist-moreutils-perl: tries to load code from cwd

Date: Thu, 30 Jun 2016 23:28:51 +0200

[Message part 1 (text/plain, inline)]

Package: liblist-moreutils-perl
Version: 0.413-1+b1
Tags: security
Control: affects -1 + check-all-the-things

List::MoreUtils tries to load code from a subdirectory of the current 
working directory. This could lead to execution of arbitrary code if 
cwd is untrusted.

Proof of concept:

$ mkdir -p '(eval 1)/auto/List/MoreUtils/'
$ gcc -Wall -fPIC -shared moo.c -o '(eval 1)/auto/List/MoreUtils/MoreUtils.so'
$ perl -e 'no lib "."; use List::MoreUtils'
                (__)
                (oo)
          /------\/
         / |    ||
        *  /\---/\
           ~~   ~~
..."Have you mooed today?"...
Segmentation fault


-- System Information:
Debian Release: stretch/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages liblist-moreutils-perl depends on:
ii  libc6                       2.22-13
ii  libexporter-tiny-perl       0.042-1
ii  perl                        5.22.2-1
ii  perl-base [perlapi-5.22.1]  5.22.2-1

-- 
Jakub Wilk

[moo.c (text/x-csrc, attachment)]

Message #16 received at 829138@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>

To: Jakub Wilk <jwilk@debian.org>, 829138@bugs.debian.org

Cc: Paul Wise <pabs@debian.org>, perl@packages.debian.org

Subject: Re: Bug#829138: liblist-moreutils-perl: tries to load code from cwd

Date: Mon, 4 Jul 2016 15:11:36 +0300

clone 829138 -1
retitle -1 perl: XSLoader tries to load code from '(eval 1)/' when called inside a string eval
reassign -1 perl 5.22.2-1
tag -1 patch fixed-upstream
severity -1 important
tag 829138 patch
thanks

On Thu, Jun 30, 2016 at 11:28:51PM +0200, Jakub Wilk wrote:
> Package: liblist-moreutils-perl
> Version: 0.413-1+b1
> Tags: security
> Control: affects -1 + check-all-the-things
> 
> List::MoreUtils tries to load code from a subdirectory of the current
> working directory. This could lead to execution of arbitrary code if cwd is
> untrusted.

Thanks for the report.

As discussed in the upstream ticket, the root cause is XSLoader, which
uses caller() information to locate the .so file to load. This can be
incorrect if XSLoader::load() is called in a string eval.

  https://rt.cpan.org/Ticket/Display.html?id=115808

I'm cloning a separate bug against perl about this; XSLoader
is already fixed upstream with

 http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7

There's a simple workaround for List::MoreUtils in the upstream ticket
included below. I think we should apply this in any case as it improves
the diagnostics.

I'm setting the severity of the XSLoader bug to 'important';
the circumstances are rare enough that I don't think it should be
release-critical at this point as long as List-MoreUtils gets patched.

I'll still try to fix it in perl soon, and we can revisit this if other
packages turn out to be affected.

diff -rup List-MoreUtils-0.415-sba79Z-orig/lib/List/MoreUtils/XS.pm List-MoreUtils-0.415-sba79Z/lib/List/MoreUtils/XS.pm
--- List-MoreUtils-0.415-sba79Z-orig/lib/List/MoreUtils/XS.pm   2016-05-01 09:47:00.000000000 -0700
+++ List-MoreUtils-0.415-sba79Z/lib/List/MoreUtils/XS.pm    2016-07-03 11:02:41.000000000 -0700
@@ -13,6 +13,7 @@ BEGIN
     # Load the XS at compile-time so that redefinition warnings will be
     # thrown correctly if the XS versions of part or indexes loaded
     my $ldr = <<EOLDR;
+#line ${\(__LINE__+1 . " " . __FILE__)}
    package List::MoreUtils;
 
    # PERL_DL_NONLAZY must be false, or any errors in loading will just

-- 
Niko Tyni   ntyni@debian.org

Message #37 received at 829578-close@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>

To: 829578-close@bugs.debian.org

Subject: Bug#829578: fixed in perl 5.22.2-2

Date: Thu, 07 Jul 2016 22:40:15 +0000

Source: perl
Source-Version: 5.22.2-2

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 829578@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 07 Jul 2016 20:40:41 +0200
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.22 libperl-dev perl-modules-5.22 perl
Architecture: source
Version: 5.22.2-2
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Description:
 libperl-dev - Perl library: development files
 libperl5.22 - shared Perl library
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl-modules-5.22 - Core Perl modules
Closes: 829296 829578
Changes:
 perl (5.22.2-2) unstable; urgency=medium
 .
   [ Niko Tyni ]
   * Make XSLoader skip relative paths not on @INC. (Closes: #829578)
   * Add patch from Chris Lamb making the output of ExtUtils::ParseXS
     reproducible. (Closes: #829296)
   * Refresh cross build support files for all architectures.
 .
   [ Dominic Hargreaves ]
   * Update wrong-path-for-interpreter override for 5.22.2, fixing
     Lintian error introduced in previous upload
   * Switch Vcs-Browser from gitweb to cgit and Vcs-Git to https
Checksums-Sha1:
 8e1a7a4442f395eea9007095b827998105f80b68 2349 perl_5.22.2-2.dsc
 a8dc908febf7e3c01774d2c96539197ae8f5d12e 150920 perl_5.22.2-2.debian.tar.xz
Checksums-Sha256:
 e562e80af161c22e13398472aa1bc85e503a79ea05e5e3f3de691cd353dde953 2349 perl_5.22.2-2.dsc
 a4b9933cfc3a18259f56a517054bcc15cc8b955bc4f3622fb129c5b233282802 150920 perl_5.22.2-2.debian.tar.xz
Files:
 1fc3bf11d9c7648702e4551af46a0c76 2349 perl standard perl_5.22.2-2.dsc
 20ff7343f675dd798cba7bc45e61a8e5 150920 perl standard perl_5.22.2-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXfq6eAAoJEC7A/7O3MBsfAAUQALGlMv/HhVp87BkhjqyR6tyk
YP7atXkl9NfS+NIWzIgJaHg2ml8yxYm8XS715xrAShc004C8hZfO6MXjJRMqx8uf
+z/4KE30LMMvpDqDGNPg0ajCkrDjdhHLvJdgMzT/t+PhaqE/ZJV6FSGrLJIPLgYQ
0pcBdRnQSHR8/Zo9xgcM6HKiXHSh7hn3vUgM2ZQ8sEoIJDGI3jAfMxfwMNEziY9g
KzPW/g1CNNgaLhbGWKilmzY0QxOfpYPfzm/AQk8IlP8gw8OK2rZYB9VGPOcrZsEL
+904FhudoJ5Qzk8Cb02dWCle6Q8vn9RMHjCOsXyPBBI+NDbv/ivWUgzyp1qZ0PPn
/dPZ2zuR6Mr136qJHVGJtfxQ28jpGWdGKAt5/2ukhoOeKVaJPgCShrUUcftgiCVu
4QgMIzJtTiVfcznRfrITUtcI31JJ/SlYh7GVD2BKNR7AkpQfTjft6GX6I6oW9QNr
2+kgXL0h9wSUBGDW9/3VtrtWtabbdB2NxU+X7AtAhR661FL8avCo34O9riXQ9LyJ
gKIiVXqAjTXHMlcuPpMhjM/Q/6aTuQoQ5W/XPhKWW6m7aAWTKRLkCkZ70iwTCGEC
flwKxnSnRHydyT1TGItPIsywUxID3qJW50K4l9LxofP4uzr1HYhUCXXcAmSM8m3Y
xACKPbOve3xw0CMjrkSb
=Rr+V
-----END PGP SIGNATURE-----

Message #48 received at 829578-close@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: 829578-close@bugs.debian.org

Subject: Bug#829578: fixed in perl 5.20.2-3+deb8u6

Date: Tue, 26 Jul 2016 22:17:59 +0000

Source: perl
Source-Version: 5.20.2-3+deb8u6

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 829578@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 22 Jul 2016 16:30:45 +0100
Source: perl
Binary: perl-base perl-doc perl-debug libperl5.20 libperl-dev perl-modules perl
Architecture: all amd64 source
Version: 5.20.2-3+deb8u6
Distribution: jessie-security
Urgency: high
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Closes: 829578
Description: 
 libperl5.20 - shared Perl library
 libperl-dev - Perl library: development files
 perl-base  - minimal Perl system
 perl-debug - debug-enabled Perl interpreter
 perl-doc   - Perl documentation
 perl       - Larry Wall's Practical Extraction and Report Language
 perl-modules - Core Perl modules
Changes:
 perl (5.20.2-3+deb8u6) jessie-security; urgency=high
 .
   [ Niko Tyni ]
   * [SECURITY] CVE-2016-1238: opportunistic loading of optional
     modules can make many programs unintentionally load code
     from the current working directory (which might be changed to
     another directory without the user realising).
     + allow user configurable removal of "." from @INC in
       /etc/perl/sitecustomize.pl for a transitional period. (See: #588017)
     + backport patches from [perl #127834] to fix known vulnerabilities
       even if the user does not configure "." to be removed from @INC
     + backport patches from [perl #127810] to fix various classes of
       build failures in perl and CPAN modules if "." is removed from
       @INC
 .
   [ Dominic Hargreaves ]
   * [SECURITY] CVE-2016-6185: Make XSLoader skip relative paths not
     on @INC. (Closes: #829578)
Checksums-Sha1: 
 0a2b60f4c782b530c71bee2f02924ebc29bcbd7b 2322 perl_5.20.2-3+deb8u6.dsc
 9c18e568d3de10f3f89d9ec5466da915bc27b881 147848 perl_5.20.2-3+deb8u6.debian.tar.xz
 8a848495a26bbceb3f6ed8d8742a1f90da5deeee 7348008 perl-doc_5.20.2-3+deb8u6_all.deb
 b08ba3dd6c6643cfbde1871ca2e6d42314ac8df5 2546644 perl-modules_5.20.2-3+deb8u6_all.deb
 f28a7ea3b34a85f4619fe12ea789022ece23b223 1229140 perl-base_5.20.2-3+deb8u6_amd64.deb
 e5eb387b9fb8cee01016d193fd6f23c436767a92 4626424 perl-debug_5.20.2-3+deb8u6_amd64.deb
 deec309405c9e74f2123ec3816213da064d84a76 1350 libperl5.20_5.20.2-3+deb8u6_amd64.deb
 eb5dbf55cea999f5d1a79d51eadaf1da8c2da162 2142886 libperl-dev_5.20.2-3+deb8u6_amd64.deb
 bf6d261602ca406173ac2937a2391dda8b05ce2a 2637484 perl_5.20.2-3+deb8u6_amd64.deb
Checksums-Sha256: 
 b7569ffa209fcd84bc4d487a9c242b21b0db591b3a9222ae0e1140bab67c6106 2322 perl_5.20.2-3+deb8u6.dsc
 f6d31a96ea22b2f2626bb017c4960bcbdf1ac1e11e5639175cd9418fdccda812 147848 perl_5.20.2-3+deb8u6.debian.tar.xz
 b8f4c715a5907a358f08aee51a06018aaf42f11ea3b437bd1412612f7949c77a 7348008 perl-doc_5.20.2-3+deb8u6_all.deb
 59c74e72dc08a7d13245cceee1b4877238503b2e24ef05209dd4ce34256d034c 2546644 perl-modules_5.20.2-3+deb8u6_all.deb
 d4957a3ccb9c311c6a24df2f45652b3a72e854daa79cb8675e9d501389ba11e0 1229140 perl-base_5.20.2-3+deb8u6_amd64.deb
 05fa0120797b82071d2279c6d8294ec717f0501c2ff0dfb3e0edf0b25170b0a5 4626424 perl-debug_5.20.2-3+deb8u6_amd64.deb
 7cc76407a0721747d678d2e4dac0fc71265f075963f564ef2f0a6f8fa3593fd9 1350 libperl5.20_5.20.2-3+deb8u6_amd64.deb
 2265125af5c118fec0698901fcec5047d0221ddcee77a761bdfebe074002a0d9 2142886 libperl-dev_5.20.2-3+deb8u6_amd64.deb
 c8e863928022d4723a40177958b0d1e236540b2ae540bf17f534124fc45f8b43 2637484 perl_5.20.2-3+deb8u6_amd64.deb
Files: 
 7cfb7884b007e91d5294d801430a9742 2322 perl standard perl_5.20.2-3+deb8u6.dsc
 53e57cdf702ba031189ce7f7860a52d5 147848 perl standard perl_5.20.2-3+deb8u6.debian.tar.xz
 c4f73d1bcc256c233938c683915dcb62 7348008 doc optional perl-doc_5.20.2-3+deb8u6_all.deb
 0d9a0dd06969ab4d8b68d49d598c9ec4 2546644 perl standard perl-modules_5.20.2-3+deb8u6_all.deb
 a58ac685ce7ffbe27ca04d8345306654 1229140 perl required perl-base_5.20.2-3+deb8u6_amd64.deb
 fa34a25a7b1d73c31933743af444947b 4626424 debug extra perl-debug_5.20.2-3+deb8u6_amd64.deb
 91876213de552333aa5748d0482a1921 1350 libs optional libperl5.20_5.20.2-3+deb8u6_amd64.deb
 60447eca2a85350c34509ce8e29bb6e2 2142886 libdevel optional libperl-dev_5.20.2-3+deb8u6_amd64.deb
 ba01fdc0c63fbde6e0f45a6961515a05 2637484 perl standard perl_5.20.2-3+deb8u6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXkk0GAAoJEMAFfnFNaU+ytxMP/1D5DiyfGiIK/jta0uL6POH1
ybg2FzEFYQkFEAvQ5f+gpG5mvvBRa1eOMF44WZaQaSj2/xsDnB8B3Ql9X6/RpPzn
+5s8AKc4qXqRxSiRfOubswXNXtZ1EJFxESM1UAX4W9AITDGYCmtDjaZWcP2bDyS6
zTkXR47sfQkKNnpueMaKQfIKEKIvY31s7HrXoDh65+Cq7/zjUsPxd1nL18VQhV07
VDjLlC8slJyswCgIvTqHean4Cbu5VEvvsN0R3nI4pOoWcFzi0ANUCatjw6jregE/
3YOxsrc40hRQQKUHGLJaVQpum2Lq9wWG9/6ZUdsYYUsczj1WFgboMKmBkFZYLTwt
geJxnLjbgV/uY6NeoWRoqH8C2gvF0P/N8ccoGwEvBeskSo8dNm3FkZKDdw6XX/aH
85Pcuo+knn7jVreeDzol2/otEHJ34M32YW8Ct3vapclVdcPRe4FVTmIdWt7u6w72
tMkG2R9ww+FmJlZaQaW9uDR7Pf9kWLWxNVLkRU4BWo5sTTiOUjxOzUZ1ddb9GYLA
fsYtgmaehTr3Xqzs20uk4q9IxCbuLfkClXG8HNTDMZhJSYaJgy0Wiq8vAeFInDPL
srFrZVu1AT6/YmeJQnUYg+2+yjFacZcDdJwvI2s8ACWm+VwM0YDYjlBDVD5jq+0c
UhjcX/EDXFwFU6Fle24e
=k6c+
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.