Bug 962705 (CVE-2012-6143)

Summary: CVE-2012-6143 perl-Spoon (Spoon::Cookie): Do not run Storable::thaw() on arbitrary untrusted user input
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: perl-devel, steve
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:38:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 962707, 962708    
Bug Blocks:    

Description Jan Lieskovsky 2013-05-14 09:56:06 UTC 
Spoon::Cookie Perl module allows storing data of any type on the client side browser using HTTP cookies. The data is subsequently serialized and deserialized using Perl's Storable module without any further checks for possible tampering.

Since the Perl's Storable module has been documented to be unsuitable for these purposes:
  [1] http://perl5.git.perl.org/perl.git/commit/664f237a84176c09b20b62dbfe64dd736a7ce05e

(as reported) the current Spoon::Cookie behaviour is dangerous as it will run Storable::thaw() on arbitrary untrusted user input. A remote attacker could provide a specially-crafted Spoon::Cookie input that, when processed with Storable::thaw() would lead to Storable module to load the module corresponding to the class of the object in the deserializing module, possibly leading to arbitrary code execution (with the privileges of the user running the application utilizing the services of the Spoon::Cookie module).

Spoon CPAN module ticket:
[2] https://rt.cpan.org/Public/Bug/Display.html?id=85217

References:
[3] http://www.openwall.com/lists/oss-security/2013/05/13/1
Comment 1 Jan Lieskovsky 2013-05-14 10:00:00 UTC 
This issue affects the versions of the perl-Spoon package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update once there is final upstream patch available (doesn't seem to be as of right now).
Comment 2 Jan Lieskovsky 2013-05-14 10:01:08 UTC 
Created perl-Spoon tracking bugs for this issue

Affects: fedora-all [bug 962707]
Affects: epel-6 [bug 962708]