Bug 211561

Patches for 5.20 can be found on Andrew Fresh's post
http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238292.html

CVE-2016-6185
http://cve.circl.lu/cve/CVE-2016-6185

Comment 3 commit-hook 2016-08-04 17:52:41 UTC

A commit references this bug:

Author: feld
Date: Thu Aug  4 17:52:36 UTC 2016
New revision: 419639
URL: https://svnweb.freebsd.org/changeset/ports/419639

Log:
  Document perl vulnerability

  PR:		211561
  Security:	CVE-2016-1238

Changes:
  head/security/vuxml/vuln.xml

Comment 4 commit-hook 2016-08-04 18:12:46 UTC

A commit references this bug:

Author: feld
Date: Thu Aug  4 18:12:35 UTC 2016
New revision: 419642
URL: https://svnweb.freebsd.org/changeset/ports/419642

Log:
  Document p5-XSLoader vulnerability

  PR:		211561
  Security:	CVE-2016-6185

Changes:
  head/security/vuxml/vuln.xml

Comment 5 commit-hook 2016-08-04 18:19:51 UTC

A commit references this bug:

Author: feld
Date: Thu Aug  4 18:19:01 UTC 2016
New revision: 419644
URL: https://svnweb.freebsd.org/changeset/ports/419644

Log:
  Fix vuxml entry for recent perl vulnerabilities to correctly match package names

  PR:		211561

Changes:
  head/security/vuxml/vuln.xml

Comment 6 commit-hook 2016-08-05 14:01:23 UTC

A commit references this bug:

Author: feld
Date: Fri Aug  5 14:00:54 UTC 2016
New revision: 419686
URL: https://svnweb.freebsd.org/changeset/ports/419686

Log:
  devel/p5-XSLoader: Update to 0.22

  This update resolves a local arbitrary code execution CVE.

  PR:		211561
  MFH:		2016Q3
  Security:	CVE-2016-6185

Changes:
  head/devel/p5-XSLoader/Makefile
  head/devel/p5-XSLoader/distinfo

Comment 7 commit-hook 2016-08-05 14:02:25 UTC

A commit references this bug:

Author: feld
Date: Fri Aug  5 14:01:38 UTC 2016
New revision: 419687
URL: https://svnweb.freebsd.org/changeset/ports/419687

Log:
  MFH: r419686

  devel/p5-XSLoader: Update to 0.22

  This update resolves a local arbitrary code execution CVE.

  PR:		211561
  Security:	CVE-2016-6185

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q3/
  branches/2016Q3/devel/p5-XSLoader/Makefile
  branches/2016Q3/devel/p5-XSLoader/distinfo

Comment 8 commit-hook 2016-08-05 17:16:45 UTC

A commit references this bug:

Author: feld
Date: Fri Aug  5 17:15:58 UTC 2016
New revision: 419696
URL: https://svnweb.freebsd.org/changeset/ports/419696

Log:
  Update perl vuxml entries

  Perl package names changed somewhat recently, so add more <name> entries
  to improve coverage for users on systems with outdated ports/packages

  PR:		211561

Changes:
  head/security/vuxml/vuln.xml

Comment 9 Mark Felder 2016-08-10 13:52:12 UTC

They haven't released the Perl updates yet, but there are patches we could backport... I didn't have time to backport them and was hoping the release would be out by now.

Comment 10 Kubilay Kocak 2016-08-10 14:15:51 UTC

Who's on perl@ ?

Comment 11 Mathieu Arnold 2016-08-10 15:49:58 UTC

Me.

New releases of Perl 5.22 and 5.24 are coming, I'll have a look at what needs patching later.

Comment 12 commit-hook 2016-08-11 13:32:14 UTC

A commit references this bug:

Author: mat
Date: Thu Aug 11 13:32:06 UTC 2016
New revision: 420067
URL: https://svnweb.freebsd.org/changeset/ports/420067

Log:
  Update lang/perl5.* to fix CVE-2016-1238.

  We're exceptionnaly using the latest release candidates for this, Perl
  5.22.3 and 5.24.1 were about to be released when CVE-2016-1238 hit the
  fan, so we feel confident that EVERYTHING WILL BE FINE.

  - lang/perl5.24 goes to 5.24.1-RC2.
  - lang/perl5.22 goes to 5.22.3-RC2.
  - lang/perl5.20 goes to 5.20.3_14.
  - lang/perl5.18 goes to 5.18.3_23

  PR:		211561
  Reported by:	Sevan Janiyan
  MFH:		2016Q3
  Security:	CVE-2016-1238
  Sponsored by:	Absolight

Changes:
  head/lang/perl5.18/Makefile
  head/lang/perl5.18/files/patch-CVE-2016-1238
  head/lang/perl5.20/Makefile
  head/lang/perl5.20/files/patch-CVE-2016-1238
  head/lang/perl5.22/Makefile
  head/lang/perl5.22/distinfo
  head/lang/perl5.22/files/patch-cpan_Pod-Perldoc_lib_Pod_Perldoc.pm
  head/lang/perl5.22/files/patch-t_porting_customized.dat
  head/lang/perl5.22/pkg-plist
  head/lang/perl5.22/version.mk
  head/lang/perl5.24/Makefile
  head/lang/perl5.24/distinfo
  head/lang/perl5.24/files/patch-cpan_Pod-Perldoc_lib_Pod_Perldoc.pm
  head/lang/perl5.24/files/patch-t_porting_customized.dat
  head/lang/perl5.24/pkg-plist
  head/lang/perl5.24/version.mk

Comment 13 commit-hook 2016-08-11 13:35:20 UTC

A commit references this bug:

Author: mat
Date: Thu Aug 11 13:34:48 UTC 2016
New revision: 420070
URL: https://svnweb.freebsd.org/changeset/ports/420070

Log:
  MFH: r420067

  Update lang/perl5.* to fix CVE-2016-1238.

  We're exceptionnaly using the latest release candidates for this, Perl
  5.22.3 and 5.24.1 were about to be released when CVE-2016-1238 hit the
  fan, so we feel confident that EVERYTHING WILL BE FINE.

  - lang/perl5.24 goes to 5.24.1-RC2.
  - lang/perl5.22 goes to 5.22.3-RC2.
  - lang/perl5.20 goes to 5.20.3_14.
  - lang/perl5.18 goes to 5.18.3_23

  PR:		211561
  Reported by:	Sevan Janiyan
  Security:	CVE-2016-1238
  Sponsored by:	Absolight

Changes:
_U  branches/2016Q3/
  branches/2016Q3/lang/perl5.18/Makefile
  branches/2016Q3/lang/perl5.18/files/patch-CVE-2016-1238
  branches/2016Q3/lang/perl5.20/Makefile
  branches/2016Q3/lang/perl5.20/files/patch-CVE-2016-1238
  branches/2016Q3/lang/perl5.22/Makefile
  branches/2016Q3/lang/perl5.22/distinfo
  branches/2016Q3/lang/perl5.22/files/patch-cpan_Pod-Perldoc_lib_Pod_Perldoc.pm
  branches/2016Q3/lang/perl5.22/files/patch-t_porting_customized.dat
  branches/2016Q3/lang/perl5.22/pkg-plist
  branches/2016Q3/lang/perl5.22/version.mk
  branches/2016Q3/lang/perl5.24/Makefile
  branches/2016Q3/lang/perl5.24/distinfo
  branches/2016Q3/lang/perl5.24/files/patch-cpan_Pod-Perldoc_lib_Pod_Perldoc.pm
  branches/2016Q3/lang/perl5.24/files/patch-t_porting_customized.dat
  branches/2016Q3/lang/perl5.24/pkg-plist
  branches/2016Q3/lang/perl5.24/version.mk

Comment 14 Mathieu Arnold 2016-08-11 17:10:34 UTC

closing this, I think its purposed has been served.

Hey guys,

I have upgraded to latest (perl5-5.20.3_14) but when I run "pkg audit -F" I get this output:

root@SERVER:~ # pkg audit -F
vulnxml file up-to-date
perl5-5.20.3_14 is vulnerable:
p5-XSLoader -- local arbitrary code execution
CVE: CVE-2016-6185
WWW: https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html

1 problem(s) in the installed packages found.

But two things:

1) I don't have p5-XSLoader package installed:

root@SERVER:~ # pkg info -ao | grep p5-XSLoader
root@SERVER:~ # 

2) Seems XSLoader is in perl5.20 package?

root@SERVER:~ # pkg info -l perl5 | grep XSLoader
        /usr/local/lib/perl5/5.20/XSLoader.pm
        /usr/local/lib/perl5/5.20/perl/man/man3/XSLoader.3.gz

So maybe the vuln needs to be updated to not match perl5-5.20.3_14 or remove XSLoader.pm from perl5.20?

Looking forward for your comments.

Thanks!

Comment 16 Mathieu Arnold 2016-08-11 20:51:25 UTC

Oh, I missed that there was another vuln.

Comment 17 Mathieu Arnold 2016-08-13 21:28:17 UTC

*** Bug 211816 has been marked as a duplicate of this bug. ***

Comment 18 Mathieu Arnold 2016-08-15 09:39:46 UTC

Oops, forgot to mention the PR in the commit.  Fixed in 420220 (head) and 420221 (quarterly).