Bug 1353238 - Please update XSLoader to 0.22
Summary: Please update XSLoader to 0.22
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: perl
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jitka Plesnikova
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1354387 (view as bug list)
Depends On:
Blocks: CVE-2016-6185
TreeView+ depends on / blocked
 
Reported: 2016-07-06 15:26 UTC by Paul Howarth
Modified: 2016-11-08 16:19 UTC (History)
9 users (show)

Fixed In Version: perl-5.24.0-371.fc25 perl-5.20.3-332.fc22 perl-5.22.2-361.fc24 perl-5.22.2-353.fc23
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-15 18:21:31 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
CPAN 115808 0 None None None 2016-07-06 15:26:56 UTC

Description Paul Howarth 2016-07-06 15:26:56 UTC 
The new release 0.416 of List::MoreUtils wants the latest and greatest XSLoader (0.22) to resolve this bug:

https://rt.cpan.org/Public/Bug/Display.html?id=115808

List::MoreUtils tries to load code from a subdirectory of the current working directory. This could lead to execution of arbitrary code if cwd is untrusted.
Comment 1 Petr Pisar 2016-07-07 13:22:33 UTC 
This XSLoader issue will obtain a CVE identifier probably <http://seclists.org/oss-sec/2016/q3/21>.
Comment 2 Fedora Update System 2016-07-07 13:24:28 UTC 
perl-5.22.2-361.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-485dff6060
Comment 3 Paul Howarth 2016-07-07 13:25:19 UTC 
(In reply to Petr Pisar from comment #1)
> This XSLoader issue will obtain a CVE identifier probably
> <http://seclists.org/oss-sec/2016/q3/21>.

I suspected as much.
Comment 4 Fedora Update System 2016-07-07 13:47:27 UTC 
perl-5.22.2-353.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-742bde2be7
Comment 5 Fedora Update System 2016-07-07 15:18:41 UTC 
perl-5.20.3-332.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-eb2592245b
Comment 6 Fedora Update System 2016-07-10 03:53:31 UTC 
perl-5.22.2-353.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-742bde2be7
Comment 7 Fedora Update System 2016-07-10 15:59:23 UTC 
perl-5.22.2-361.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-485dff6060
Comment 8 Adam Mariš 2016-07-11 08:43:38 UTC 
*** Bug 1354387 has been marked as a duplicate of this bug. ***
Comment 9 Fedora Update System 2016-07-12 03:28:57 UTC 
perl-5.20.3-332.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-eb2592245b
Comment 10 Fedora Update System 2016-07-15 18:21:17 UTC 
perl-5.20.3-332.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-07-18 18:24:31 UTC 
perl-5.22.2-361.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2016-07-18 20:52:39 UTC 
perl-5.22.2-353.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.