Bug 1309214 (CVE-2016-2381)
Summary: | CVE-2016-2381 perl: ambiguous environment variables handling | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | carnil, cbuissar, hhorak, jorton, jplesnik, mmaslano, perl-maint-list, ppisar, psabata, rh, rmeggins, security-response-team, slawomir, trevor | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2016-03-09 15:28:06 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1313702 | ||||||||
Bug Blocks: | 1309216 | ||||||||
Attachments: |
|
Description
Andrej Nemec
2016-02-17 09:01:59 UTC
Created attachment 1127889 [details]
first patch
Created attachment 1127890 [details]
second VMS patch
Created perl tracking bugs for this issue: Affects: fedora-all [bug 1313702] perl-5.22.1-351.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. Acknowledgments: Name: Stephane Chazelas perl-5.20.3-329.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. Resolution: --- → WONTFIX ??? -> errata? It's not uncommon for us to close security issues as WONTFIX if we think that they're not critical enough to warrant an immediate security fix. The main reason for closing this particular issue as WONTFIX is that we are currently not aware of an application that would provide a suitable attack vector. Without an application providing a suitable method of exploitation that would result in the crossing of security boundaries, the impact of this flaw is rather limited. Just as an additionally note: this sort of problem has been documented for almost two decades now. For example, the O'Reilly book "Practical UNIX and Internet Security" already mentioned this back in 1996. If you can provide us with additional information, concerns or further questions, you are welcome to contact us via secalert |