Bug 588269 (CVE-2010-1447)

Summary: CVE-2010-1447 perl: Safe restriction bypass when reference to subroutine in compartment is called from outside
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, mjc, mmaslano, ohudlick, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:11:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 591159, 591160, 591161, 591167, 591168, 598397, 598398    
Bug Blocks:    

Description Jan Lieskovsky 2010-05-03 11:05:22 UTC 
Safe.pm 2.26 and earlier (except 2.20 through 2.23 if using a threads-enabled 
Perl), when used in Perl 5.10.0 and earlier, may allow attackers to break out
of safe compartment in (1) Safe::reval or (2) Safe::rdo using subroutine 
references, whose execution is delayed to happen outside of the safe
compartment.
  If a victim was tricked into running a specially-crafted Perl script, using 
Safe extension module, it could lead to intended Safe module restrictions 
bypass, if the returned subroutine reference was called from outside of the 
compartment.
  Different vulnerability than CVE-2010-1168.

Solution: Ugrade to Safe.pm v2.27 or higher.

References:
  [1] http://search.cpan.org/~rgarcia/Safe-2.27/Safe.pm

Acknowledgements:

Red Hat would like to thank Tim Bunce for responsibly reporting this flaw.
Upstream credits also Rafaƫl Garcia-Suarez for discovering of this issue.
Comment 2 Jan Lieskovsky 2010-05-03 11:28:13 UTC 
This is CVE-2010-1447.
Comment 8 Vincent Danen 2010-05-19 21:08:05 UTC 
This issue is public now, but MITRE has given it a strange description that may be confusing to people as it refers to PostgreSQL more than Perl:

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1447 to
the following vulnerability:

Name: CVE-2010-1447
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1447
Assigned: 20100415
Reference: CONFIRM: http://security-tracker.debian.org/tracker/CVE-2010-1447
Reference: CONFIRM: http://www.postgresql.org/about/news.1203
Reference: CONFIRM: https://bugs.launchpad.net/bugs/cve/2010-1447
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=588269
Reference: SECUNIA:39845
Reference: URL: http://secunia.com/advisories/39845
Reference: VUPEN:ADV-2010-1167
Reference: URL: http://www.vupen.com/english/advisories/2010/1167

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21,
8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta
before 9.0 Beta 2 does not properly restrict PL/perl procedures, which
might allow remote attackers to execute arbitrary Perl code via a
crafted script, related to the Safe module (aka Safe.pm) for Perl.
Comment 9 Tomas Hoger 2010-05-20 07:02:16 UTC 
It's probably PostgreSQL announcement that's causing the confusion, as it mentions perl CVE-2010-1447 too, and there was no public reference for CVE-2010-1447 at that time.

Quick disambiguation summary - CVE-2010-1447 (for perl/Safe) and CVE-2010-1169 (for PostgreSQL) are closely related and describe basically the same issue. Safe fix makes sure that subroutines called form outside of the compartment is still restricted by Safe.  This approach did not work for PostgreSQL, which instead abandoned Safe and relies on Opcode now instead.
Comment 10 Jan Lieskovsky 2010-05-20 16:58:49 UTC 
(In reply to comment #8)
> This issue is public now, but MITRE has given it a strange description that  may
> be confusing to people as it refers to PostgreSQL more than Perl:
> 

Detailed post trying to solve the current confusion:
  [1] http://www.openwall.com/lists/oss-security/2010/05/20/5
Comment 14 errata-xmlrpc 2010-06-07 15:29:34 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2010:0457 https://rhn.redhat.com/errata/RHSA-2010-0457.html
Comment 15 errata-xmlrpc 2010-06-07 16:21:37 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0458 https://rhn.redhat.com/errata/RHSA-2010-0458.html
Comment 16 Fedora Update System 2010-08-03 01:10:17 UTC 
perl-5.10.1-116.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.