Bug 1297455 - CVE-2015-8607: File::Spec::canonpath() loses taint
Summary: CVE-2015-8607: File::Spec::canonpath() loses taint
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: perl-PathTools
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Pisar
QA Contact: Fedora Extras Quality Assurance
URL: https://rt.perl.org/Public/Bug/Displa...
Whiteboard:
: 1297486 (view as bug list)
Depends On:
Blocks: CVE-2015-8607 1297598
TreeView+ depends on / blocked
 
Reported: 2016-01-11 14:52 UTC by Petr Pisar
Modified: 2016-01-27 15:52 UTC (History)
3 users (show)

Fixed In Version: perl-PathTools-3.60-2.fc24 perl-PathTools-3.60-2.fc23 perl-PathTools-3.47-312.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-14 08:52:56 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Petr Pisar 2016-01-11 14:52:08 UTC 
File::Spec->canonpath does not preserve tainted flag. This is regression since 
PathTools-3.40:

$ perl -T -MFile::Spec -MScalar::Util -e 'print Scalar::Util::tainted(File::Spec->canonpath(Cwd::getcwd)), qq{\n}'
0

While expected behavior is:

$ ./perl -T -Ilib -MFile::Spec -MScalar::Util -e 'print Scalar::Util::tainted(File::Spec->canonpath(Cwd::getcwd)), qq{\n}'
1

This bug affects all Fedoras and is know as CVE-2015-8607. Perl upstream fixed it with commit:

commit 0b6f93036de171c12ba95d415e264d9cf7f4e1fd
Author: Tony Cook <tony>
Date:   Tue Dec 15 10:56:54 2015 +1100

    ensure File::Spec::canonpath() preserves taint
    
    Previously the unix specific XS implementation of canonpath() would
    return an untainted path when supplied a tainted path.
    
    For the empty string case, newSVpvs() already sets taint as needed on
    its result.
    
    This issue was assigned CVE-2015-8607.  [perl #126862]
Comment 1 Fedora Update System 2016-01-11 15:15:47 UTC 
perl-PathTools-3.60-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-69e506e02d
Comment 2 Fedora Update System 2016-01-11 15:15:59 UTC 
perl-PathTools-3.47-312.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-4ca904238f
Comment 3 Petr Pisar 2016-01-11 15:54:18 UTC 
(In reply to Petr Pisar from comment #0)
> File::Spec->canonpath does not preserve tainted flag. This is regression
> since PathTools-3.40:
> 
Since PathTools-3.47.
Comment 4 Petr Pisar 2016-01-11 16:05:44 UTC 
*** Bug 1297486 has been marked as a duplicate of this bug. ***
Comment 5 Fedora Update System 2016-01-12 09:52:49 UTC 
perl-PathTools-3.60-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-69e506e02d
Comment 6 Fedora Update System 2016-01-12 09:54:13 UTC 
perl-PathTools-3.47-312.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-4ca904238f
Comment 7 Fedora Update System 2016-01-14 08:52:47 UTC 
perl-PathTools-3.60-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-01-27 15:52:00 UTC 
perl-PathTools-3.47-312.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.