Bug 987887 (CVE-2016-1238) - VUL-0: CVE-2016-1238: perl: loading modules from current directory
Summary: VUL-0: CVE-2016-1238: perl: loading modules from current directory
Status: RESOLVED FIXED
Alias: CVE-2016-1238
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2018-07-10
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170661/
Whiteboard: CVSSv2:SUSE:CVE-2016-1238:4.6:(AV:L/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-06 14:08 UTC by Andreas Stieger
Modified: 2020-09-24 13:17 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Michael Schröder 2016-07-06 14:27:15 UTC 
Hmm. I'm not convinced.
Comment 4 Swamp Workflow Management 2016-07-06 22:01:24 UTC 
bugbot adjusting priority
Comment 5 Andreas Stieger 2016-07-07 08:51:32 UTC 
Notes from brief discussion with maintainer:

The upstream patch only updates the @INC path in various perl commands. As such it is understood to only cover the commands included with the perl package, not not any system command implemented in perl.

As such it would seem that the @INC issue affects all system commands implemented in perl, but these would each need to be fixed separately.
Comment 8 Marcus Meissner 2016-08-04 12:17:44 UTC 
seems public

http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html

Steve Hay just pushed fixes for CVE-2016-1238 to maint-5.22 and
maint-5.24 for:
https://rt.perl.org/Ticket/Display.html?id=127834

Steve has also just released RCs for 5.22.3 and 5.24.1 carrying these fixes:

http://nntp.perl.org/group/perl.perl5.porters/238269
http://nntp.perl.org/group/perl.perl5.porters/238270


The problem relates to Perl 5 ("perl") loading modules from the includes
directory array ("@INC") in which the last element is the current
directory ("."). For more information, see the RT ticket linked above.

While the Perl Security group has attempted to mitigate some of these
problems by modifying Perl Modules, it is ultimately the responsibility
of the application writer to remove relative paths from @INC to assure
the security / consistent behavior of their code regardless of what
directory it executes from.

The fix is to check if the last entry of @INC is "." and if so, to
remove it as an included path.

The following line, when added to the top of Perl applications, should
mitigate this problem. This assumes your code is not intentionally
depending on paths relative to your current working directory:

    BEGIN { pop @INC if $INC[-1] eq '.' }

We would also like to discourage using relative paths in @INC.

This problem was first reported by John Lightsey and Todd Rinaldo,
courtesy of the cPanel Security Team at cPanel. The CVE is courtesy of
Debian. The fix was done by Tony Cook.

-- Sawyer X, p5p.
Comment 11 Michael Schröder 2016-08-04 12:50:01 UTC 
This is the blurb from perldelta. Please include in the patchinfo doc.

Core modules and tools no longer search "." for optional modules

The tools and many modules supplied in core no longer search the default
current directory entry in @INC for optional modules.  For 
example, Storable will remove the final "." from @INC before trying to
load Log::Agent.

This prevents an attacker injecting an optional module into a process run by
another user where the current directory is writable by the attacker, e.g. the 
/tmp directory.

In most cases this removal should not cause problems, the exception being
the "base" module.

The "base" module treats every module name supplied as optional.  If you have
applications that use base to load non-optional modules from the current
directory you will need to modify your code or environment.

If your code always trusts the contents of the current directory, the simplest
change is adding "." to PERL5LIB:

  # for Bourne shell and similar
  set PERL5LIB=.
  export PERL5LIB

If you do not trust the current directory this will open your code up to
attacks on any module load, not just optional modules.  You may want to add the 
absolute path of your application's module directory to PERL5LIB instead.

Alternatively, you can change your code, either to add the directory with your
binary to @INC:

  use FindBin;
  use lib $FindBin::Bin;

or switch to the "parent" module, which requires an explicit parameter for optional
modules:

  use parent 'Nonoptional::Module';

though this will have the same problem if the current directory is removed from
@INC in Perl 5.26.

Also, since base now localizes @INC when loading modules, changes to
@INC in the loaded module will be discarded when @INC is restored to its 
previous value.
Comment 12 Michael Schröder 2016-08-06 10:50:38 UTC 
I've come up with a different patch for base.pm that isn't so likely to break things. I've asked upstream what they think about it, let's see what the respond.

So it's likaly that I'll resubmit the updates.
Comment 13 Michael Schröder 2016-08-09 11:42:43 UTC 
OK, resubmitted with a new patch.

Somebody already accepted the old requests, please make sure that they are not used.
Comment 14 Swamp Workflow Management 2016-09-06 13:21:08 UTC 
SUSE-SU-2016:2246-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 929027,967082,987887,988311
CVE References: CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    perl-5.10.0-64.80.1
SUSE Linux Enterprise Server 11-SP4 (src):    perl-5.10.0-64.80.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    perl-5.10.0-64.80.1
Comment 15 Swamp Workflow Management 2016-09-08 13:11:36 UTC 
SUSE-SU-2016:2263-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 928292,932894,967082,984906,987887,988311
CVE References: CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    perl-5.18.2-11.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    perl-5.18.2-11.1
Comment 16 Swamp Workflow Management 2016-09-15 15:11:11 UTC 
openSUSE-SU-2016:2313-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 928292,932894,967082,984906,987887,988311
CVE References: CVE-2015-8853,CVE-2016-1238,CVE-2016-2381,CVE-2016-6185
Sources used:
openSUSE Leap 42.1 (src):    perl-5.18.2-5.1
Comment 21 Swamp Workflow Management 2018-06-26 08:28:23 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-07-10.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64075
Comment 24 Karol Babioch 2018-09-18 07:06:29 UTC 
I've split off a bug for spamassassin -> bug#1108749
Comment 25 Swamp Workflow Management 2019-02-27 11:11:30 UTC 
SUSE-SU-2019:0505-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1123389,987887
CVE References: CVE-2016-1238
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    amavisd-new-2.11.1-6.3.1
Comment 26 Swamp Workflow Management 2019-03-06 20:10:25 UTC 
openSUSE-SU-2019:0297-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1123389,987887
CVE References: CVE-2016-1238
Sources used:
openSUSE Leap 15.0 (src):    amavisd-new-2.11.1-lp150.5.3.1
Comment 27 Wolfgang Frisch 2020-09-24 13:17:22 UTC 
Released.