CVE-2016-1238

Priority
Description
(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3)
cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5)
cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7)
cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9)
cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11)
cpan/ExtUtils-MakeMaker/bin/instmodsh, (12)
cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14)
cpan/Test-Harness/bin/prove, (15)
dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16)
dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18)
utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21)
utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24)
utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2
and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters
from the end of the includes directory array, which might allow local users
to gain privileges via a Trojan horse module under the current working
directory.
Notes
 mdeslaur> the fix for this issue changes default behaviour and will
 mdeslaur> possibly break existing installations and scripts. Furthermore,
 mdeslaur> other packages in the archive need to be changed to work with
 mdeslaur> the new behaviour, see the Debian advisory for more info:
 mdeslaur> https://www.debian.org/security/2016/dsa-3628
 mdeslaur>
 mdeslaur> Due to the change in behaviour, we will not be fixing this issue
 mdeslaur> in perl in Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04
 mdeslaur> LTS.
Package
Upstream:released (0.33-1+deb8u1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was released [0.29-1+deb7u1build0.12.04.1])
Ubuntu 14.04 LTS (Trusty Tahr):released (0.33-1+deb8u1build0.14.04.1)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Package
Source: perl (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):ignored
Ubuntu 14.04 LTS (Trusty Tahr):ignored
Ubuntu 16.04 LTS (Xenial Xerus):ignored
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (5.24.1-2ubuntu1)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (5.24.1-2ubuntu1)
Ubuntu 19.04 (Disco Dingo):not-affected (5.24.1-2ubuntu1)
More Information

Updated: 2019-01-14 22:22:40 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)