Bug 588269 - (CVE-2010-1447) CVE-2010-1447 perl: Safe restriction bypass when reference to subroutine in compartment is called from outside
CVE-2010-1447 perl: Safe restriction bypass when reference to subroutine in c...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=upstream,repor...
: Security
Depends On: 591159 591160 591161 591167 591168 598397 598398
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-03 07:05 EDT by Jan Lieskovsky
Modified: 2013-07-02 23:50 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-05-03 07:05:22 EDT
Safe.pm 2.26 and earlier (except 2.20 through 2.23 if using a threads-enabled 
Perl), when used in Perl 5.10.0 and earlier, may allow attackers to break out
of safe compartment in (1) Safe::reval or (2) Safe::rdo using subroutine 
references, whose execution is delayed to happen outside of the safe
compartment.
  If a victim was tricked into running a specially-crafted Perl script, using 
Safe extension module, it could lead to intended Safe module restrictions 
bypass, if the returned subroutine reference was called from outside of the 
compartment.
  Different vulnerability than CVE-2010-1168.

Solution: Ugrade to Safe.pm v2.27 or higher.

References:
  [1] http://search.cpan.org/~rgarcia/Safe-2.27/Safe.pm

Acknowledgements:

Red Hat would like to thank Tim Bunce for responsibly reporting this flaw.
Upstream credits also Rafaël Garcia-Suarez for discovering of this issue.
Comment 2 Jan Lieskovsky 2010-05-03 07:28:13 EDT
This is CVE-2010-1447.
Comment 8 Vincent Danen 2010-05-19 17:08:05 EDT
This issue is public now, but MITRE has given it a strange description that may be confusing to people as it refers to PostgreSQL more than Perl:

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1447 to
the following vulnerability:

Name: CVE-2010-1447
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1447
Assigned: 20100415
Reference: CONFIRM: http://security-tracker.debian.org/tracker/CVE-2010-1447
Reference: CONFIRM: http://www.postgresql.org/about/news.1203
Reference: CONFIRM: https://bugs.launchpad.net/bugs/cve/2010-1447
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=588269
Reference: SECUNIA:39845
Reference: URL: http://secunia.com/advisories/39845
Reference: VUPEN:ADV-2010-1167
Reference: URL: http://www.vupen.com/english/advisories/2010/1167

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21,
8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta
before 9.0 Beta 2 does not properly restrict PL/perl procedures, which
might allow remote attackers to execute arbitrary Perl code via a
crafted script, related to the Safe module (aka Safe.pm) for Perl.
Comment 9 Tomas Hoger 2010-05-20 03:02:16 EDT
It's probably PostgreSQL announcement that's causing the confusion, as it mentions perl CVE-2010-1447 too, and there was no public reference for CVE-2010-1447 at that time.

Quick disambiguation summary - CVE-2010-1447 (for perl/Safe) and CVE-2010-1169 (for PostgreSQL) are closely related and describe basically the same issue. Safe fix makes sure that subroutines called form outside of the compartment is still restricted by Safe.  This approach did not work for PostgreSQL, which instead abandoned Safe and relies on Opcode now instead.
Comment 10 Jan Lieskovsky 2010-05-20 12:58:49 EDT
(In reply to comment #8)
> This issue is public now, but MITRE has given it a strange description that  may
> be confusing to people as it refers to PostgreSQL more than Perl:
> 

Detailed post trying to solve the current confusion:
  [1] http://www.openwall.com/lists/oss-security/2010/05/20/5
Comment 14 errata-xmlrpc 2010-06-07 11:29:34 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2010:0457 https://rhn.redhat.com/errata/RHSA-2010-0457.html
Comment 15 errata-xmlrpc 2010-06-07 12:21:37 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0458 https://rhn.redhat.com/errata/RHSA-2010-0458.html
Comment 16 Fedora Update System 2010-08-02 21:10:17 EDT
perl-5.10.1-116.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.