clone 829138 -1 retitle -1 perl: XSLoader tries to load code from '(eval 1)/' when called inside a string eval reassign -1 perl 5.22.2-1 tag -1 patch fixed-upstream severity -1 important tag 829138 patch thanks
On Thu, Jun 30, 2016 at 11:28:51PM +0200, Jakub Wilk wrote: > Package: liblist-moreutils-perl > Version: 0.413-1+b1 > Tags: security > Control: affects -1 + check-all-the-things > > List::MoreUtils tries to load code from a subdirectory of the current > working directory. This could lead to execution of arbitrary code if cwd is > untrusted. Thanks for the report. As discussed in the upstream ticket, the root cause is XSLoader, which uses caller() information to locate the .so file to load. This can be incorrect if XSLoader::load() is called in a string eval. https://rt.cpan.org/Ticket/Display.html?id=115808 I'm cloning a separate bug against perl about this; XSLoader is already fixed upstream with http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7 There's a simple workaround for List::MoreUtils in the upstream ticket included below. I think we should apply this in any case as it improves the diagnostics. I'm setting the severity of the XSLoader bug to 'important'; the circumstances are rare enough that I don't think it should be release-critical at this point as long as List-MoreUtils gets patched. I'll still try to fix it in perl soon, and we can revisit this if other packages turn out to be affected. diff -rup List-MoreUtils-0.415-sba79Z-orig/lib/List/MoreUtils/XS.pm List-MoreUtils-0.415-sba79Z/lib/List/MoreUtils/XS.pm --- List-MoreUtils-0.415-sba79Z-orig/lib/List/MoreUtils/XS.pm 2016-05-01 09:47:00.000000000 -0700 +++ List-MoreUtils-0.415-sba79Z/lib/List/MoreUtils/XS.pm 2016-07-03 11:02:41.000000000 -0700 @@ -13,6 +13,7 @@ BEGIN # Load the XS at compile-time so that redefinition warnings will be # thrown correctly if the XS versions of part or indexes loaded my $ldr = <<EOLDR; +#line ${\(__LINE__+1 . " " . __FILE__)} package List::MoreUtils; # PERL_DL_NONLAZY must be false, or any errors in loading will just -- Niko Tyni nt...@debian.org