1411436 – cpan client is vulnerable to CVE-2016-1238

Bug 1411436 - cpan client is vulnerable to CVE-2016-1238

Summary: cpan client is vulnerable to CVE-2016-1238

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Red Hat Software Collections
Classification:	Red Hat
Component:	perl-CPAN
Sub Component:
Version:	rh-perl524
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	3.4
Assignee:	perl-maint-list
QA Contact:	BaseOS QE - Apps
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2016-1238
TreeView+	depends on / blocked

Reported:	2017-01-09 17:35 UTC by Petr Pisar
Modified:	2019-12-02 12:19 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-12-02 12:18:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Cumulative patch (9.83 KB, patch) 2017-01-09 17:59 UTC, Petr Pisar	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
CPAN	116507	0	None	None	None	2017-01-31 09:13:20 UTC

Description Petr Pisar 2017-01-09 17:35:03 UTC

rh-perl524-perl-CPAN-2.11-368.el6.noarch loads optional modules from current working directory:

$ cd /tmp
$ mkdir Log
cat >Log/Log4perl.pm
warn 'HIT';
1;
^D
$ cpan
HIT at /tmp/Log/Log4perl.pm line 1.
Undefined subroutine &Log::Log4perl::init called at /opt/rh/rh-perl524/root/usr/share/perl5/vendor_perl/App/Cpan.pm line 546.

This bug is know as CVE-2016-1238 and a fix exists in perl-5.24.1 release candidate. Other rh-perl524 packages already contain the fix. Please note that additional patch from CPAN RT#116507 is required to handle cpan -j option correctly in case of a relative path.

Comment 1 Petr Pisar 2017-01-09 17:59:44 UTC

Created attachment 1238847 [details]
Cumulative patch

Comment 7 Petr Pisar 2019-11-08 06:05:39 UTC

rh-perl526 is not affected.

Comment 8 Joe Orton 2019-12-02 12:18:36 UTC

In accordance with the Red Hat Software Collections Product Life Cycle, the support period for this collection has ended.

New bug fix, enhancement, and security errata updates, as well as technical support services will no longer be made available for this collection.

Customers are encouraged to upgrade to a later release.

Please contact Red Hat Support if you have further questions, or refer to the support lifecycle page for more information. https://access.redhat.com/support/policy/updates/rhscl/

Note You need to log in before you can comment on or make changes to this bug.