From @Leont

On Thu, Oct 24, 2013 at 5​:31 PM, Leon Timmermans <fawaka@​gmail.com> wrote​:

Hi all,

Perldoc may load File​::Temp from lib/ iff Makefile.PL or Build.PL exist in
the current directory, and if the argument is an existing module. If the
argument is an URL, it can be done using lib/HTTP/Tiny.pm too.

Proof​:

touch Makefile.PL
mkdir -p lib/File
echo 'die "Exploited!"' > lib/File/Temp.pm
perldoc Scalar​::Util

This is a serious bug, and user-assisted exploits are trivial to write.

Actually, it turns out that any of these module would do the trick​:

File​::Temp
Cwd
File​::Path
IO​::Seekable
IO​::Handle
Symbol
SelectSaver
IO
Errno
Scalar​::Util
List​::Util
Carp​::Heavy
Exporter​::Heavy
IPC​::Open3

Leon

From @kentfredric

On 25 October 2013 04​:31, Leon Timmermans <fawaka@​gmail.com> wrote​:

This is a serious bug, and user-assisted exploits are trivial to write.

Not to mention, it would appear to be an entirely unrequired security hole.

It occurs because the code in question modifies @​INC blindly to include
lib/ , blib/ and '.' , without user interaction.

However, this change is not required to load documentation from the current
directory, as the documentation is *NOT* loaded using *require* , and @​INC
is later simply inserted into the search routine.

Attached is a patch which removes modification of @​INC, and retains the
behaviour with regard to finding documentation, which eliminates this
specific security hole.

--
Kent

From @kentfredric

diff --git a/cpan/Pod-Perldoc/lib/Pod/Perldoc.pm b/cpan/Pod-Perldoc/lib/Pod/Perldoc.pm
index 9cdee80..8519680 100644
--- a/cpan/Pod-Perldoc/lib/Pod/Perldoc.pm
+++ b/cpan/Pod-Perldoc/lib/Pod/Perldoc.pm
@@ -441,6 +441,7 @@ sub init {
   $self->{'pagers' } = [@Pagers] unless exists $self->{'pagers'};
   $self->{'bindir' } = $Bindir   unless exists $self->{'bindir'};
   $self->{'pod2man'} = $Pod2man  unless exists $self->{'pod2man'};
+  $self->{'search_path'} = [ ]   unless exists $self->{'search_path'};
 
   push @{ $self->{'formatter_switches'} = [] }, (
    # Yeah, we could use a hashref, but maybe there's some class where options
@@ -529,7 +530,7 @@ sub process {
     $self->find_good_formatter_class();
     $self->formatter_sanity_check();
 
-    $self->maybe_diddle_INC();
+    $self->maybe_extend_searchpath();
       # for when we're apparently in a module or extension directory
 
     my @found = $self->grand_search_init(\@pages);
@@ -858,7 +859,7 @@ sub grand_search_init {
 
         # We must look both in @INC for library modules and in $bindir
         # for executables, like h2xs or perldoc itself.
-        push @searchdirs, ($self->{'bindir'}, @INC);
+        push @searchdirs, ($self->{'bindir'}, @{$self->{search_path}}, @INC);
         unless ($self->opt_m) {
             if ($self->is_vms) {
                 my($i,$trn);
@@ -1648,19 +1649,18 @@ sub containspod {
 
 #..........................................................................
 
-sub maybe_diddle_INC {
+sub maybe_extend_searchpath {
   my $self = shift;
 
   # Does this look like a module or extension directory?
 
   if (-f "Makefile.PL" || -f "Build.PL") {
 
-    # Add "." and "lib" to @INC (if they exist)
-    eval q{ use lib qw(. lib); 1; } or $self->die;
+    push @{$self->{search_path} }, '.','lib';
 
     # don't add if superuser
     if ($< && $> && -d "blib") {   # don't be looking too hard now!
-      eval q{ use blib; 1 };
+      push @{ $self->{search_path} }, 'blib';
       $self->warn( $@ ) if $@ && $self->opt_D;
     }
   }

From @Leont

Hi all,

Perldoc may load File​::Temp from lib/ iff Makefile.PL or Build.PL exist in
the current directory, and if the argument is an existing module. If the
argument is an URL, it can be done using lib/HTTP/Tiny.pm too.

Proof​:

touch Makefile.PL
mkdir -p lib/File
echo 'die "Exploited!"' > lib/File/Temp.pm
perldoc Scalar​::Util

This is a serious bug, and user-assisted exploits are trivial to write.

Leon

From @tonycoz

On Thu Oct 24 13​:14​:38 2013, LeonT wrote​:

Hi all,

Perldoc may load File​::Temp from lib/ iff Makefile.PL or Build.PL exist in
the current directory, and if the argument is an existing module. If the
argument is an URL, it can be done using lib/HTTP/Tiny.pm too.

Proof​:

touch Makefile.PL
mkdir -p lib/File
echo 'die "Exploited!"' > lib/File/Temp.pm
perldoc Scalar​::Util

This is a serious bug, and user-assisted exploits are trivial to write.

This thread ended up as three tickets, which I've merged.

Hopefully forwarding to the security list is fixed too, which this reply should test.

Tony

The RT System itself - Status changed from 'new' to 'open'

From @iabyn

On Thu, Oct 24, 2013 at 5​:31 PM, Leon Timmermans <fawaka@​gmail.com> wrote​:

Perldoc may load File​::Temp [and several others] from lib/ iff
Makefile.PL or Build.PL exist in the current directory

Proof​:

$ touch Makefile.PL
$ mkdir -p lib/File
$ echo 'die "Exploited!"' > lib/File/Temp.pm
$ perldoc Scalar​::Util
Exploited! at lib/File/Temp.pm line 1.

This is a serious bug, and user-assisted exploits are trivial to write.

This ticket and it its follow-ups never made it to the
perl5-security-report list, so I'm putting it there now.

Is this issue being handled by the maintainers of the CPAN package?
i.e is there anything the porters need to do right now apart from pull in
a new patch or release from CPAN when it becomes available?
Then we need to decide whether to backport it, make maint security
releases, CVEs etc.

Discuss...

--
The warp engines start playing up a bit, but seem to sort themselves out
after a while without any intervention from boy genius Wesley Crusher.
  -- Things That Never Happen in "Star Trek" #17

From @iabyn

On Wed, Oct 30, 2013 at 11​:10​:19AM +0000, Dave Mitchell wrote​:

This ticket and it its follow-ups never made it to the
perl5-security-report list, so I'm putting it there now.

Is this issue being handled by the maintainers of the CPAN package?
i.e is there anything the porters need to do right now apart from pull in
a new patch or release from CPAN when it becomes available?
Then we need to decide whether to backport it, make maint security
releases, CVEs etc.

Discuss...

This apparently never made it to the list either. Resending as a test.

--
"Strange women lying in ponds distributing swords is no basis for a system
of government. Supreme executive power derives from a mandate from the
masses, not from some farcical aquatic ceremony."
  -- Dennis, "Monty Python and the Holy Grail"

From @Leont

On Wed, Oct 30, 2013 at 12​:10 PM, Dave Mitchell <davem@​iabyn.com> wrote​:

This ticket and it its follow-ups never made it to the
perl5-security-report list, so I'm putting it there now.

Is this issue being handled by the maintainers of the CPAN package?
i.e is there anything the porters need to do right now apart from pull in
a new patch or release from CPAN when it becomes available?
Then we need to decide whether to backport it, make maint security
releases, CVEs etc.

Discuss...

I think it should be primarily handled by the maintainer, I haven't heard
from him at all though.

I do think it ought to be backported, but it probably doesn't warrant an
immediate maintenance security release.

I guess it needs a CVE (that bar seems to be set pretty low nowadays), I'm
going to look into that.

Leon

From @mrallen1

First, I am sorry I was dark - I had a problem in my email filtering rules which didn't surface
this email thread until Leon pinged me on Twitter.  This filter problem should be resolved now.

Second, I just uploaded Pod-Perldoc 3.21_01 to CPAN which incorporates Kent's suggested patch.

On confirmation the patch fixes the problem (it appears to on my local machine), I will release 3.21.

Thank you for your help in resolving this problem.

Mark Allen

On Wednesday, November 6, 2013 7​:15 AM, Leon Timmermans <fawaka@​gmail.com> wrote​:

On Wed, Oct 30, 2013 at 12​:10 PM, Dave Mitchell <davem@​iabyn.com> wrote​:

This ticket and it its follow-ups never made it to the

perl5-security-report list, so I'm putting it there now.

Is this issue being handled by the maintainers of the CPAN package?
i.e is there anything the porters need to do right now apart from pull in
a new patch or release from CPAN when it becomes available?
Then we need to decide whether to backport it, make maint security
releases, CVEs etc.

Discuss...

I think it should be primarily handled by the maintainer, I haven't heard from him at all though.

I do think it ought to be backported, but it probably doesn't warrant an immediate maintenance security release.

I guess it needs a CVE (that bar seems to be set pretty low nowadays), I'm going to look into that.

Leon

From @iabyn

On Tue, Nov 19, 2013 at 09​:21​:37AM -0800, Mark Allen wrote​:

Second, I just uploaded Pod-Perldoc 3.21_01 to CPAN which incorporates Kent's suggested patch.

On confirmation the patch fixes the problem (it appears to on my local machine), I will release 3.21.

I can confirm it fixes the issue.

--
The Enterprise's efficient long-range scanners detect a temporal vortex
distortion in good time, allowing it to be safely avoided via a minor
course correction.
  -- Things That Never Happen in "Star Trek" #21

From @mrallen1

I will prepare a CPAN release in a few days including this patch and a couple others that have come in.

Thanks.

On Monday, December 30, 2013 5​:45 AM, Dave Mitchell <davem@​iabyn.com> wrote​:

On Tue, Nov 19, 2013 at 09​:21​:37AM -0800, Mark Allen wrote​:

Second, I just uploaded Pod-Perldoc 3.21_01 to CPAN which incorporates Kent's suggested patch.

On confirmation the patch fixes the problem (it appears to on my local machine), I will release 3.21.

I can confirm it fixes the issue.

--
The Enterprise's efficient long-range scanners detect a temporal vortex
distortion in good time, allowing it to be safely avoided via a minor
course correction.
    -- Things That Never Happen in "Star Trek" #21

From @mrallen1

Just to close the loop on this - I released Pod-Perldoc 3.21 to CPAN a couple days ago.  This is a version I propose
be included in blead.  I have several other RT tickets to close on this distribution and hope to have them done by the end of January.

Thanks.

On Friday, January 3, 2014 10​:15 AM, Mark Allen <mrallen1@​yahoo.com> wrote​:

I will prepare a CPAN release in a few days including this patch and a couple others that have come in.

Thanks.

On Monday, December 30, 2013 5​:45 AM, Dave Mitchell <davem@​iabyn.com> wrote​:

On Tue, Nov 19, 2013 at 09​:21​:37AM -0800, Mark Allen wrote​:

Second, I just uploaded Pod-Perldoc 3.21_01 to CPAN which incorporates Kent's suggested patch.

On confirmation the patch fixes the problem (it appears to on my local machine), I will release 3.21.

I can confirm it fixes the issue.

--
The Enterprise's efficient long-range scanners detect a temporal vortex
distortion in good time, allowing it to be safely avoided via a minor
course correction.
    -- Things That Never Happen in "Star Trek" #21

From @iabyn

On Wed, Jan 08, 2014 at 09​:55​:36AM -0800, Mark Allen wrote​:

Just to close the loop on this - I released Pod-Perldoc 3.21 to CPAN a
couple days ago.  This is a version I propose be included in blead.  I
have several other RT tickets to close on this distribution and hope to
have them done by the end of January.

This version was pulled into blead on monday, so the loop is closed,
thanks!

--
I thought I was wrong once, but I was mistaken.

From @kentfredric

On 9 January 2014 07​:17, Dave Mitchell <davem@​iabyn.com> wrote​:

This version was pulled into blead on monday, so the loop is closed,
thanks!

Are security fixes usually candidates for stable releases? ie​: should this
be in a 5.18* series?

I'm just wondering when we're supposed to advise security people of a
formal security risk they want to update to avoid. ( aka​: CVE's and shit )

--
Kent

From @Leont

On Mon Jan 13 16​:31​:11 2014, kentfredric@​gmail.com wrote​:

On 9 January 2014 07​:17, Dave Mitchell <davem@​iabyn.com> wrote​:

This version was pulled into blead on monday, so the loop is closed,
thanks!

Are security fixes usually candidates for stable releases? ie​: should this
be in a 5.18* series?

I'm just wondering when we're supposed to advise security people of a
formal security risk they want to update to avoid. ( aka​: CVE's and shit )

And the crickets had the field for a year. It seems this got reported for a second time as #123647.

I suspect a CVE is still warranted. Should I do that? The whole process is rather fuzzy to me.

From @tonycoz

On Wed, Jan 28, 2015 at 10​:49​:54AM -0800, Leon Timmermans via RT wrote​:

On Mon Jan 13 16​:31​:11 2014, kentfredric@​gmail.com wrote​:

On 9 January 2014 07​:17, Dave Mitchell <davem@​iabyn.com> wrote​:

This version was pulled into blead on monday, so the loop is closed,
thanks!

Are security fixes usually candidates for stable releases? ie​: should this
be in a 5.18* series?

I'm just wondering when we're supposed to advise security people of a
formal security risk they want to update to avoid. ( aka​: CVE's and shit )

And the crickets had the field for a year. It seems this got reported for a second time as #123647.

I suspect a CVE is still warranted. Should I do that? The whole process is rather fuzzy to me.

If the issue isn't public yet, mail any of​:

- secalert@​redhat.com

- distros@​vs.openwall.org (limited access mailing list, 2 week embargo process)

- cve-assign@​mitre.org

I've used the last before, but that was before the first two were active.

If the issue is public​:

- oss-security@​lists.openwall.com (mailing list)

See https://github.com/RedHatProductSecurity/CVE-HOWTO for details of what

Tony

From @kentfredric

On 29 January 2015 at 11​:46, Tony Cook via RT <
perl5-security-report@​perl.org> wrote​:

If the issue isn't public yet, mail any of​:

- secalert@​redhat.com

- distros@​vs.openwall.org (limited access mailing list, 2 week embargo
process)

- cve-assign@​mitre.org

I've used the last before, but that was before the first two were active.

If the issue is public​:

- oss-security@​lists.openwall.com (mailing list)

See https://github.com/RedHatProductSecurity/CVE-HOWTO for details of what

And either do the same here
https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&component=Vulnerabilities

Or once you have draft text for advisory notice let me know and I'll
copy-paste it in or something.

--
Kent

*KENTNL* - https://metacpan.org/author/KENTNL

From @iabyn

On Thu, Jan 29, 2015 at 12​:44​:30PM +1300, Kent Fredric wrote​:

On 29 January 2015 at 11​:46, Tony Cook via RT <
perl5-security-report@​perl.org> wrote​:

If the issue isn't public yet, mail any of​:

- secalert@​redhat.com

- distros@​vs.openwall.org (limited access mailing list, 2 week embargo
process)

- cve-assign@​mitre.org

I've used the last before, but that was before the first two were active.

If the issue is public​:

- oss-security@​lists.openwall.com (mailing list)

See https://github.com/RedHatProductSecurity/CVE-HOWTO for details of what

And either do the same here
https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&component=Vulnerabilities

Or once you have draft text for advisory notice let me know and I'll
copy-paste it in or something.

This security ticket is still open and un-replied-to for 2+ years. The fix
is in the 5.20.0 release and onwards, and I think we've missed the boat by
now for any advisory-type action, so I suggest this ticket should be closed
and moved to the public queue.

--
The Enterprise is involved in a bizarre time-warp experience which is in
some way unconnected with the Late 20th Century.
  -- Things That Never Happen in "Star Trek" #14

From @xsawyerx

Makes sense.

On Thu, Feb 2, 2017 at 1​:29 PM, Dave Mitchell <davem@​iabyn.com> wrote​:

On Thu, Jan 29, 2015 at 12​:44​:30PM +1300, Kent Fredric wrote​:

On 29 January 2015 at 11​:46, Tony Cook via RT <
perl5-security-report@​perl.org> wrote​:

If the issue isn't public yet, mail any of​:

- secalert@​redhat.com

- distros@​vs.openwall.org (limited access mailing list, 2 week embargo
process)

- cve-assign@​mitre.org

I've used the last before, but that was before the first two were active.

If the issue is public​:

- oss-security@​lists.openwall.com (mailing list)

See https://github.com/RedHatProductSecurity/CVE-HOWTO for details of what

And either do the same here
https://bugs.gentoo.org/enter_bug.cgi?product=Gentoo%20Security&component=Vulnerabilities

Or once you have draft text for advisory notice let me know and I'll
copy-paste it in or something.

This security ticket is still open and un-replied-to for 2+ years. The fix
is in the 5.20.0 release and onwards, and I think we've missed the boat by
now for any advisory-type action, so I suggest this ticket should be closed
and moved to the public queue.

--
The Enterprise is involved in a bizarre time-warp experience which is in
some way unconnected with the Late 20th Century.
-- Things That Never Happen in "Star Trek" #14

@iabyn - Status changed from 'open' to 'resolved'