Your message dated Mon, 22 Aug 2016 04:20:44 +0000
with message-id <[email protected]>
and subject line Bug#832441: fixed in devscripts 2.16.7
has caused the Debian Bug report #832441,
regarding devscripts: CVE-2016-1238 fix
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
832441: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832441
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: devscripts
Version: 2.16.6
Severity: important
Hi maintainer,
An update for this package has been released as part of our handling for
the issue described below. This fixes an instance of the dynamic module
loading vulnerability alluded to.
I attach the patch I applied for jessie; please could you review this
and apply something similar for sid?
Thanks,
Dominic.
----- Forwarded message from Salvatore Bonaccorso <[email protected]> -----
Date: Mon, 25 Jul 2016 14:18:38 +0000
From: Salvatore Bonaccorso <[email protected]>
To: [email protected]
Subject: [SECURITY] [DSA 3628-1] perl security update
-------------------------------------------------------------------------
Debian Security Advisory DSA-3628-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
July 25, 2016 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : perl
CVE ID : CVE-2016-1238 CVE-2016-6185
Debian Bug : 829578
Multiple vulnerabilities were discovered in the implementation of the
Perl programming language. The Common Vulnerabilities and Exposures
project identifies the following problems:
CVE-2016-1238
John Lightsey and Todd Rinaldo reported that the opportunistic
loading of optional modules can make many programs unintentionally
load code from the current working directory (which might be changed
to another directory without the user realising) and potentially
leading to privilege escalation, as demonstrated in Debian with
certain combinations of installed packages.
The problem relates to Perl loading modules from the includes
directory array ("@INC") in which the last element is the current
directory ("."). That means that, when "perl" wants to load a module
(during first compilation or during lazy loading of a module in run-
time), perl will look for the module in the current directory at the
end, since '.' is the last include directory in its array of include
directories to seek. The issue is with requiring libraries that are
in "." but are not otherwise installed.
With this update several modules which are known to be vulnerable
are updated to not load modules from current directory.
Additionally the update allows configurable removal of "." from @INC
in /etc/perl/sitecustomize.pl for a transitional period. It is
recommended to enable this setting if the possible breakage for a
specific site has been evaluated. Problems in packages provided in
Debian resulting from the switch to the removal of '.' from @INC
should be reported to the Perl maintainers at
[email protected] .
It is planned to switch to the default removal of '.' in @INC in a
subsequent update to perl via a point release if possible, and in
any case for the upcoming stable release Debian 9 (stretch).
CVE-2016-6185
It was discovered that XSLoader, a core module from Perl to
dynamically load C libraries into Perl code, could load shared
library from incorrect location. XSLoader uses caller() information
to locate the .so file to load. This can be incorrect if
XSLoader::load() is called in a string eval. An attacker can take
advantage of this flaw to execute arbitrary code.
For the stable distribution (jessie), these problems have been fixed in
version 5.20.2-3+deb8u6. Additionally this update includes the
following updated packages to address optional module loading
vulnerabilities related to CVE-2016-1238, or to address build failures
which occur when '.' is removed from @INC:
- cdbs 0.4.130+deb8u1
- debhelper 9.20150101+deb8u2
- devscripts 2.15.3+deb8u1
- exim4 4.84.2-2+deb8u1
- libintl-perl 1.23-1+deb8u1
- libmime-charset-perl 1.011.1-1+deb8u2
- libmime-encwords-perl 1.014.3-1+deb8u1
- libmodule-build-perl 0.421000-2+deb8u1
- libnet-dns-perl 0.81-2+deb8u1
- libsys-syslog-perl 0.33-1+deb8u1
- libunicode-linebreak-perl 0.0.20140601-2+deb8u2
We recommend that you upgrade your perl packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
----- End forwarded message -----
>From ec54f8919620d6b064f0c61015af553570c2ee3a Mon Sep 17 00:00:00 2001
From: Dominic Hargreaves <[email protected]>
Date: Mon, 25 Jul 2016 10:06:19 +0100
Subject: [PATCH 1/2] Remove . from @INC when loading modules dynamically
[CVE-2016-1238]
---
debian/changelog | 7 +++++++
scripts/desktop2menu.pl | 1 +
2 files changed, 8 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index c5c9d79..c766915 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+devscripts (2.15.3+deb8u1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Remove . from @INC when loading modules dynamically [CVE-2016-1238]
+
+ -- Dominic Hargreaves <[email protected]> Mon, 25 Jul 2016 10:04:15 +0100
+
devscripts (2.15.3) unstable; urgency=medium
* debchange: Use bpo8 instead of bpo80 for jessie-backports, per
diff --git a/scripts/desktop2menu.pl b/scripts/desktop2menu.pl
index f97551d..92c99f8 100755
--- a/scripts/desktop2menu.pl
+++ b/scripts/desktop2menu.pl
@@ -64,6 +64,7 @@ use File::Basename;
my $progname = basename($0);
BEGIN {
+ pop @INC if $INC[-1] eq '.';
# Load the File::DesktopEntry module safely
eval { require File::DesktopEntry; };
if ($@) {
--
2.1.4
--- End Message ---
--- Begin Message ---
Source: devscripts
Source-Version: 2.16.7
We believe that the bug you reported is fixed in the latest version of
devscripts, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James McCoy <[email protected]> (supplier of updated devscripts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 22 Aug 2016 00:01:48 -0400
Source: devscripts
Binary: devscripts
Architecture: source
Version: 2.16.7
Distribution: unstable
Urgency: medium
Maintainer: Devscripts Devel Team <[email protected]>
Changed-By: James McCoy <[email protected]>
Description:
devscripts - scripts to make the life of a Debian Package maintainer easier
Closes: 786755 832441 833779
Changes:
devscripts (2.16.7) unstable; urgency=medium
.
[ Paul Wise ]
* grep-excuses:
+ Fix the script for the removal of testing.pl from release.debian.org
* dscverify:
+ Fix bash completion of the --no-conf option
* uscan:
+ Strip whitespace from hrefs before processing (Closes: #833779)
+ Debug mode: print hrefs before checking them
* Suggest reprotest for reproducible builds testing (Closes: #786755)
.
[ Jakub Wilk ]
* wnpp-alert:
+ Use HTTPS.
.
[ Salvatore Bonaccorso ]
* debchange: Add support for buster and bullseye
* bts: Add the "bullseye" and "bullseye-ignore" tags.
.
[ Christoph Berg ]
* origtargz: Fix unpacking of tarballs found in --path.
.
[ James McCoy ]
* Remove . from @INC when loading modules dynamically. [CVE-2016-1238]
(Closes: #832441)
Checksums-Sha1:
399cff63aae35a127c9b5422b615b78be3e0980f 2356 devscripts_2.16.7.dsc
fde5688caf949a52b0ec40fe80f8ca8fb9832e49 666244 devscripts_2.16.7.tar.xz
Checksums-Sha256:
15114eb51476d641f07a183401ff1613fbed474a04b8508ee58d518d86e90108 2356
devscripts_2.16.7.dsc
027ac99f4ceddb9a916752971d2e394cf74c3145be18d0d4278f692a41d816de 666244
devscripts_2.16.7.tar.xz
Files:
769397e87e41be39ed1f66be310da87e 2356 devel optional devscripts_2.16.7.dsc
ba7491d3e9973d7440c49aefed937fbc 666244 devel optional devscripts_2.16.7.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJXunpKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ5MUJGQkY0RDY5NTZCRDVERjdCNzJEMjNE
RkU2OTFBRTMzMUJBM0RCAAoJEN/mka4zG6Pbu8UQALO+EgcxFJJ6UDW128xbm28o
v5+umtLojNZxgZ7+07ZbgQPiTaAP0rB3y+2vSxZljikykSLa4U3GAAMkXeSiyOcp
BPdc78pvzH0PORUzjVwhs+N+xKPMc3faw8EJ5DSeCMiHeTL3O0tWi9QrWuztCLe8
B7HbMOi6N6knuk8d7kpqKove80kjToPwC9bLUKWYoqRqjgyUtTMvbtjPlb+ZiQUh
orwBsDvkV7MuaZrp65zGvv238VsvwhR6bNujoHD/s4isJ3kUSAdMpPklkEthR10G
nsk4V/nI8McAls1PYI66PPJxB1VdEFXUIgJPekHnizeZgqGQxYUp8DwVHxg6TJEW
x/NFF6XPfIrOqIa0tw75Qk+9sF8knxbqAaY9Ac8AsYR0XX+GVs3HzGntANnMJB25
SwQNvlce19lQtHSQYlcbIUaCs8R839fs7dI32nI/21/89m6qvtvXYR0EL+568RLz
1O3xRQ3VjIfrQxqrTQq0feRuo2ciK4CgaF0NpLNo6oCJ3cMDUltCgGYA5mDXB3G+
lZK77mLQiMl+Bl3pOciNmnT9ZhFz7/V9dZA3RaNlenLZjdBQMYFOCijktrxfZbwG
M+slZjUWCFXAFytwDH1B7NYSaXO+zS/K7a2Il9T9XmaCScmtzLitgKmq6dBevNId
y+e6Jpk9nYhIRDO08ad/
=DUcI
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
devscripts-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
