Bug 211561 - lang/perl5.20, 5.22 & 5.24: Multiple Vulnerabilities
Summary: lang/perl5.20, 5.22 & 5.24: Multiple Vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: freebsd-perl (Nobody)
URL:
Keywords: needs-patch, security
: 211816 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-08-03 23:06 UTC by Sevan Janiyan
Modified: 2016-08-15 09:39 UTC (History)
9 users (show)

See Also:
koobs: maintainer-feedback? (perl)
koobs: merge-quarterly?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2016-08-03 23:06:15 UTC 
Missing vuxml entry & port update or patch.
http://cve.circl.lu/cve/CVE-2016-1238
Comment 1 Sevan Janiyan 2016-08-03 23:20:22 UTC 
Patches for 5.20 can be found on Andrew Fresh's post
http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238292.html
Comment 2 Sevan Janiyan 2016-08-03 23:28:01 UTC 
CVE-2016-6185
http://cve.circl.lu/cve/CVE-2016-6185
Comment 3 commit-hook freebsd_committer freebsd_triage 2016-08-04 17:52:41 UTC 
A commit references this bug:

Author: feld
Date: Thu Aug  4 17:52:36 UTC 2016
New revision: 419639
URL: https://svnweb.freebsd.org/changeset/ports/419639

Log:
  Document perl vulnerability

  PR:		211561
  Security:	CVE-2016-1238

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-08-04 18:12:46 UTC 
A commit references this bug:

Author: feld
Date: Thu Aug  4 18:12:35 UTC 2016
New revision: 419642
URL: https://svnweb.freebsd.org/changeset/ports/419642

Log:
  Document p5-XSLoader vulnerability

  PR:		211561
  Security:	CVE-2016-6185

Changes:
  head/security/vuxml/vuln.xml
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-08-04 18:19:51 UTC 
A commit references this bug:

Author: feld
Date: Thu Aug  4 18:19:01 UTC 2016
New revision: 419644
URL: https://svnweb.freebsd.org/changeset/ports/419644

Log:
  Fix vuxml entry for recent perl vulnerabilities to correctly match package names

  PR:		211561

Changes:
  head/security/vuxml/vuln.xml
Comment 6 commit-hook freebsd_committer freebsd_triage 2016-08-05 14:01:23 UTC 
A commit references this bug:

Author: feld
Date: Fri Aug  5 14:00:54 UTC 2016
New revision: 419686
URL: https://svnweb.freebsd.org/changeset/ports/419686

Log:
  devel/p5-XSLoader: Update to 0.22

  This update resolves a local arbitrary code execution CVE.

  PR:		211561
  MFH:		2016Q3
  Security:	CVE-2016-6185

Changes:
  head/devel/p5-XSLoader/Makefile
  head/devel/p5-XSLoader/distinfo
Comment 7 commit-hook freebsd_committer freebsd_triage 2016-08-05 14:02:25 UTC 
A commit references this bug:

Author: feld
Date: Fri Aug  5 14:01:38 UTC 2016
New revision: 419687
URL: https://svnweb.freebsd.org/changeset/ports/419687

Log:
  MFH: r419686

  devel/p5-XSLoader: Update to 0.22

  This update resolves a local arbitrary code execution CVE.

  PR:		211561
  Security:	CVE-2016-6185

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q3/
  branches/2016Q3/devel/p5-XSLoader/Makefile
  branches/2016Q3/devel/p5-XSLoader/distinfo
Comment 8 commit-hook freebsd_committer freebsd_triage 2016-08-05 17:16:45 UTC 
A commit references this bug:

Author: feld
Date: Fri Aug  5 17:15:58 UTC 2016
New revision: 419696
URL: https://svnweb.freebsd.org/changeset/ports/419696

Log:
  Update perl vuxml entries

  Perl package names changed somewhat recently, so add more <name> entries
  to improve coverage for users on systems with outdated ports/packages

  PR:		211561

Changes:
  head/security/vuxml/vuln.xml
Comment 9 Mark Felder freebsd_committer freebsd_triage 2016-08-10 13:52:12 UTC 
They haven't released the Perl updates yet, but there are patches we could backport... I didn't have time to backport them and was hoping the release would be out by now.
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2016-08-10 14:15:51 UTC 
Who's on perl@ ?
Comment 11 Mathieu Arnold freebsd_committer freebsd_triage 2016-08-10 15:49:58 UTC 
Me.

New releases of Perl 5.22 and 5.24 are coming, I'll have a look at what needs patching later.
Comment 12 commit-hook freebsd_committer freebsd_triage 2016-08-11 13:32:14 UTC 
A commit references this bug:

Author: mat
Date: Thu Aug 11 13:32:06 UTC 2016
New revision: 420067
URL: https://svnweb.freebsd.org/changeset/ports/420067

Log:
  Update lang/perl5.* to fix CVE-2016-1238.

  We're exceptionnaly using the latest release candidates for this, Perl
  5.22.3 and 5.24.1 were about to be released when CVE-2016-1238 hit the
  fan, so we feel confident that EVERYTHING WILL BE FINE.

  - lang/perl5.24 goes to 5.24.1-RC2.
  - lang/perl5.22 goes to 5.22.3-RC2.
  - lang/perl5.20 goes to 5.20.3_14.
  - lang/perl5.18 goes to 5.18.3_23

  PR:		211561
  Reported by:	Sevan Janiyan
  MFH:		2016Q3
  Security:	CVE-2016-1238
  Sponsored by:	Absolight

Changes:
  head/lang/perl5.18/Makefile
  head/lang/perl5.18/files/patch-CVE-2016-1238
  head/lang/perl5.20/Makefile
  head/lang/perl5.20/files/patch-CVE-2016-1238
  head/lang/perl5.22/Makefile
  head/lang/perl5.22/distinfo
  head/lang/perl5.22/files/patch-cpan_Pod-Perldoc_lib_Pod_Perldoc.pm
  head/lang/perl5.22/files/patch-t_porting_customized.dat
  head/lang/perl5.22/pkg-plist
  head/lang/perl5.22/version.mk
  head/lang/perl5.24/Makefile
  head/lang/perl5.24/distinfo
  head/lang/perl5.24/files/patch-cpan_Pod-Perldoc_lib_Pod_Perldoc.pm
  head/lang/perl5.24/files/patch-t_porting_customized.dat
  head/lang/perl5.24/pkg-plist
  head/lang/perl5.24/version.mk
Comment 13 commit-hook freebsd_committer freebsd_triage 2016-08-11 13:35:20 UTC 
A commit references this bug:

Author: mat
Date: Thu Aug 11 13:34:48 UTC 2016
New revision: 420070
URL: https://svnweb.freebsd.org/changeset/ports/420070

Log:
  MFH: r420067

  Update lang/perl5.* to fix CVE-2016-1238.

  We're exceptionnaly using the latest release candidates for this, Perl
  5.22.3 and 5.24.1 were about to be released when CVE-2016-1238 hit the
  fan, so we feel confident that EVERYTHING WILL BE FINE.

  - lang/perl5.24 goes to 5.24.1-RC2.
  - lang/perl5.22 goes to 5.22.3-RC2.
  - lang/perl5.20 goes to 5.20.3_14.
  - lang/perl5.18 goes to 5.18.3_23

  PR:		211561
  Reported by:	Sevan Janiyan
  Security:	CVE-2016-1238
  Sponsored by:	Absolight

Changes:
_U  branches/2016Q3/
  branches/2016Q3/lang/perl5.18/Makefile
  branches/2016Q3/lang/perl5.18/files/patch-CVE-2016-1238
  branches/2016Q3/lang/perl5.20/Makefile
  branches/2016Q3/lang/perl5.20/files/patch-CVE-2016-1238
  branches/2016Q3/lang/perl5.22/Makefile
  branches/2016Q3/lang/perl5.22/distinfo
  branches/2016Q3/lang/perl5.22/files/patch-cpan_Pod-Perldoc_lib_Pod_Perldoc.pm
  branches/2016Q3/lang/perl5.22/files/patch-t_porting_customized.dat
  branches/2016Q3/lang/perl5.22/pkg-plist
  branches/2016Q3/lang/perl5.22/version.mk
  branches/2016Q3/lang/perl5.24/Makefile
  branches/2016Q3/lang/perl5.24/distinfo
  branches/2016Q3/lang/perl5.24/files/patch-cpan_Pod-Perldoc_lib_Pod_Perldoc.pm
  branches/2016Q3/lang/perl5.24/files/patch-t_porting_customized.dat
  branches/2016Q3/lang/perl5.24/pkg-plist
  branches/2016Q3/lang/perl5.24/version.mk
Comment 14 Mathieu Arnold freebsd_committer freebsd_triage 2016-08-11 17:10:34 UTC 
closing this, I think its purposed has been served.
Comment 15 Andres Montalban 2016-08-11 19:55:20 UTC 
Hey guys,

I have upgraded to latest (perl5-5.20.3_14) but when I run "pkg audit -F" I get this output:

root@SERVER:~ # pkg audit -F
vulnxml file up-to-date
perl5-5.20.3_14 is vulnerable:
p5-XSLoader -- local arbitrary code execution
CVE: CVE-2016-6185
WWW: https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html

1 problem(s) in the installed packages found.

But two things:

1) I don't have p5-XSLoader package installed:

root@SERVER:~ # pkg info -ao | grep p5-XSLoader
root@SERVER:~ # 

2) Seems XSLoader is in perl5.20 package?

root@SERVER:~ # pkg info -l perl5 | grep XSLoader
        /usr/local/lib/perl5/5.20/XSLoader.pm
        /usr/local/lib/perl5/5.20/perl/man/man3/XSLoader.3.gz

So maybe the vuln needs to be updated to not match perl5-5.20.3_14 or remove XSLoader.pm from perl5.20?

Looking forward for your comments.

Thanks!
Comment 16 Mathieu Arnold freebsd_committer freebsd_triage 2016-08-11 20:51:25 UTC 
Oh, I missed that there was another vuln.
Comment 17 Mathieu Arnold freebsd_committer freebsd_triage 2016-08-13 21:28:17 UTC 
*** Bug 211816 has been marked as a duplicate of this bug. ***
Comment 18 Mathieu Arnold freebsd_committer freebsd_triage 2016-08-15 09:39:46 UTC 
Oops, forgot to mention the PR in the commit.  Fixed in 420220 (head) and 420221 (quarterly).