develooper Front page | perl.perl5.porters | Postings from July 2016

Re: CVE-2016-1238: Important unsafe module load path flaw

Thread Previous | Thread Next
From:
Dominic Hargreaves
Date:
July 25, 2016 23:20
Subject:
Re: CVE-2016-1238: Important unsafe module load path flaw
Message ID:
20160725232004.GS27403@urchin.earth.li
On Mon, Jul 25, 2016 at 03:57:03PM -0500, Craig A. Berry wrote:
> On Mon, Jul 25, 2016 at 8:17 AM, Sawyer X <xsawyerx@gmail.com> wrote:
> > Steve Hay just pushed fixes for CVE-2016-1238 to maint-5.22 and
> > maint-5.24 for:
> > https://rt.perl.org/Ticket/Display.html?id=127834
> >
> > Steve has also just released RCs for 5.22.3 and 5.24.1 carrying these fixes:
> >
> > http://nntp.perl.org/group/perl.perl5.porters/238269
> > http://nntp.perl.org/group/perl.perl5.porters/238270
> 
> The Debian advisory is here for anyone interested:
> 
> <https://www.debian.org/security/2016/dsa-3628>
> 
> I stumbled on the following message from someone struggling to adapt
> the 5.22.x changes to what appears to be an older perl:
> 
> <https://lists.gnu.org/archive/html/guix-devel/2016-07/msg01226.html>
> 
> If anyone has pointers to a patch or patches that work with 5.20.x or
> earlier, it might be nice to share them even though we no longer
> officially support those versions.  Debian appears to have patched
> their 5.20.x release but I don't know where that source code lives.

The Debian patches are here:

https://anonscm.debian.org/cgit/perl/perl.git/tree/debian/patches/fixes/CVE-2016-1238?h=jessie-security

and also here (verions of Todd's patches to make perl build with ('.' in
@INC):

https://anonscm.debian.org/cgit/perl/perl.git/tree/debian/patches/debian/CVE-2016-1238?h=jessie-security

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About