Re: [exim-dev] [Bug 1864] New: CVE-2016-1238: Important unsa…

Pàgina inicial
Delete this message
Reply to this message
Autor: Phil Pennock
Data:  
A: Andrew C Aitchison
CC: exim-dev
Assumpte: Re: [exim-dev] [Bug 1864] New: CVE-2016-1238: Important unsafe module load path flaw
On 2017-02-10 at 12:57 +0000, Andrew C Aitchison wrote:
> This is about a perl security issue that was not accepted directly into exim
> in July/August 2016.


Hrm. This isn't about Perl embedded inside Exim and thus setuid, but
instead scripts bundled, which run without elevated privilege, on the
basis that someone might theoretically invoke exim scripts while in a
directory to which untrusted users can write.

Also, where other scripting languages default to "same directory as
script, or current directory if we can't figure that out", Perl uses
"current directory" is is anomalous.

I suppose the odds are pretty high that someone might invoke it while in
/tmp and we should protect against it.

I don't see any harm from the patch for our scripts; it's an annoying
extra hoop to jump through, but that's about it.

I'll apply this change to all our Perl scripts. I will however place it
after warnings/strict, there's no reason to exempt executing Perl from
basic sanity checks.

I'm classifying this as "stupid and annoying of Perl and we shouldn't
have to do it, but reality sucks, changing the behavior is non-trivial
and so in the meantime we either deal with it in Perl or stop using
Perl".

Changed all; "perl -c" applies; also caught a couple of shell scripts
with embedded Perl.

Cherry-picked into the release branch. This means that there is likely
to be an RC4.

-Phil