Bug 962705 - (CVE-2012-6143) CVE-2012-6143 perl-Spoon (Spoon::Cookie): Do not run Storable::thaw() on arbitrary untrusted user input
CVE-2012-6143 perl-Spoon (Spoon::Cookie): Do not run Storable::thaw() on arbi...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 962708 962707
  Show dependency treegraph
Reported: 2013-05-14 05:56 EDT by Jan Lieskovsky
Modified: 2015-07-31 03:06 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-05-14 05:56:06 EDT
Spoon::Cookie Perl module allows storing data of any type on the client side browser using HTTP cookies. The data is subsequently serialized and deserialized using Perl's Storable module without any further checks for possible tampering.

Since the Perl's Storable module has been documented to be unsuitable for these purposes:
  [1] http://perl5.git.perl.org/perl.git/commit/664f237a84176c09b20b62dbfe64dd736a7ce05e

(as reported) the current Spoon::Cookie behaviour is dangerous as it will run Storable::thaw() on arbitrary untrusted user input. A remote attacker could provide a specially-crafted Spoon::Cookie input that, when processed with Storable::thaw() would lead to Storable module to load the module corresponding to the class of the object in the deserializing module, possibly leading to arbitrary code execution (with the privileges of the user running the application utilizing the services of the Spoon::Cookie module).

Spoon CPAN module ticket:
[2] https://rt.cpan.org/Public/Bug/Display.html?id=85217

[3] http://www.openwall.com/lists/oss-security/2013/05/13/1
Comment 1 Jan Lieskovsky 2013-05-14 06:00:00 EDT
This issue affects the versions of the perl-Spoon package, as shipped with Fedora release of 17, 18, and Fedora EPEL-6. Please schedule an update once there is final upstream patch available (doesn't seem to be as of right now).
Comment 2 Jan Lieskovsky 2013-05-14 06:01:08 EDT
Created perl-Spoon tracking bugs for this issue

Affects: fedora-all [bug 962707]
Affects: epel-6 [bug 962708]

Note You need to log in before you can comment on or make changes to this bug.