[exim-dev] [Bug 1864] CVE-2016-1238: Important unsafe module…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1864] CVE-2016-1238: Important unsafe module load path flaw
https://bugs.exim.org/show_bug.cgi?id=1864

--- Comment #3 from Andreas Metzler <eximusers@???> ---
On 2016-07-28 admin@??? wrote:
> Jeremy Harris <jgh146exb@???> changed:

[...]
> --- Comment #1 from Jeremy Harris <jgh146exb@???> ---
> This change, if valid, should be applied centrally in perl itself, not
> once in every perl script ever written.


Hello,

Afaiui that is planned for the future but was not done immediately as it
will probably cause local breakage:

Quoting the Debian announcement:
| Additionally the update allows configurable removal of "." from @INC
| in /etc/perl/sitecustomize.pl for a transitional period. It is
| recommended to enable this setting if the possible breakage for a
| specific site has been evaluated. Problems in packages provided in
| Debian resulting from the switch to the removal of '.' from @INC
| should be reported to the Perl maintainers at
| perl@??? .
|
| It is planned to switch to the default removal of '.' in @INC in a
| subsequent update to perl via a point release if possible, and in
| any case for the upcoming stable release Debian 9 (stretch).



Quoting the fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1355695
| The thing is that "." has been in @INC for way too long, and hence it's
| relied on, and its removal will cause breakage. The info we got
| indicates that upstream may proceed with removing it in the future
| versions, but it's quite a big change for minor release. Hence this
| partial and more complicated fix to address recently-discovered cases
| where this issue has significant impact.


The thread on perl-porters
http://www.gossamer-threads.com/lists/perl/porters/329911 starts less
hopeful:
| While the Perl Security group has attempted to mitigate some of these
| problems by modifying Perl Modules, it is ultimately the responsibility
| of the application writer to remove relative paths from @INC to assure
| the security / consistent behavior of their code regardless of what
| directory it executes from.


The related perl bugreport is not open for the public.

cu Andreas

--
You are receiving this mail because:
You are on the CC list for the bug.