https://bugzilla.redhat.com/show_bug.cgi?id=1354386 Bug ID: 1354386 Summary: CVE-2016-6185 perl: XSLoader loads relative paths not included in @INC Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@xxxxxxxxxx Reporter: amaris@xxxxxxxxxx CC: cweyl@xxxxxxxxxxxxxxx, hhorak@xxxxxxxxxx, iarnell@xxxxxxxxx, jorton@xxxxxxxxxx, jplesnik@xxxxxxxxxx, kasal@xxxxxx, perl-devel@xxxxxxxxxxxxxxxxxxxxxxx, perl-maint-list@xxxxxxxxxx, ppisar@xxxxxxxxxx, psabata@xxxxxxxxxx, rc040203@xxxxxxxxxx, rmeggins@xxxxxxxxxx, tcallawa@xxxxxxxxxx An arbitrary code execution can be achieved if loading code from untrusted current working directory despite the '.' is removed from @INC. Vulnerability is in XSLoader that uses caller() information to locate .so file to load. If malicious attacker creates directory named `(eval 1)` with malicious binary file in it, it will be loaded if the package calling XSLoader is in parent directory. CVE assignment: http://seclists.org/oss-sec/2016/q3/28 Upstream bug: https://rt.cpan.org/Public/Bug/Display.html?id=115808 Upstream patch: http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7 -- You are receiving this mail because: You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/perl-devel@xxxxxxxxxxxxxxxxxxxxxxx