Perl5 vulnerability

sidetone · Aug 7, 2016

All versions of Perl5 have been vulnerable since Thursday, but then the prevention from installing it was ignored in the portstree and packages. It is required for x-11/xorg, (any version of) LLVM and most other packages. How much of a vulnerability is it?

Code:

perl 5-5.20.3_13 is vulnerable:
perl -- local arbitrary code execution
CVE: CVE-2016-1238
WWW: https://vuxml.FreeBSD.org/freebsd/72 ...
...
perl 5-5.20.3_13 is vulnerable:
p5-XSLoader -- local arbitrary code execution
CVE: CVE-2016-6185
WWW: ...

There are no available updates for perl5 (any version), or devel/p5-XSLoader.

sidetone · Aug 7, 2016

~~I'm surprised everyone is ok with a vulnerable system, considering it is required for xorg, llvm and most packages/ports.~~

ShelLuser · Aug 8, 2016

sidetone said:
How much of a vulnerability is it?

Seems impossible to tell at this point. The main culprit is local code execution, but how big of an impact that has would heavily depend on the system at hand. I'm not saying that this isn't a problem, but it's also not something which would result in compromised systems per definition.

I'm not sure how you conclude that everyone is ok with this. Just because people don't respond? No matter if people respond or not it wouldn't change the current facts. Best I can do as an administrator is to wait for the Perl team to sort this out.

Murph · Aug 8, 2016

If you take just 5 minutes to look at what this issue actually is, it's clear that it's really no big deal. There's no remote exploit of it, and Perl has been strongly discouraged from setuid usage for a long time. An attacker who already has a local user account, might be able to do something, maybe, but it would be really very difficult to exploit. Achieving privilege escalation through it seems quite unlikely.

I am actually perfectly ok with this existing on my systems for a while, and do not consider it a real vulnerability in terms of being something to actually worry about (this is pretty much a 1 on a scale of 1 to 10 for urgency).

Not everything that gets a CVE ID is actually important or urgent. In some cases, like this one, the ability to actually gain advantage from the identified behaviour is just about non-existent for many normal use cases.

Your conclusion that everyone is ok with it, apparently only due to a lack of forum replies over a 2 hour period, is entirely incorrect. On the other hand, many people probably are ok with it, due to the extremely low risk from it for them.

A quick glance suggests to me that www/mod_perl2 is probably not impacted, as it does not seem to have '.' in INC.

sidetone · Aug 8, 2016

Actually since Thursday, that no one brought it up. I'm asking, because I didn't know how much of an issue it was.

Terry_Kennedy · Aug 14, 2016

sidetone said:
Actually since Thursday, that no one brought it up. I'm asking, because I didn't know how much of an issue it was.

The Perl ports have had a fix since r420067 on 11-Aug-2016, described here as:

commit message said:
Update lang/perl5.* to fix CVE-2016-1238.

We're exceptionnaly using the latest release candidates for this, Perl
5.22.3 and 5.24.1 were about to be released when CVE-2016-1238 hit the
fan, so we feel confident that EVERYTHING WILL BE FINE.

Perl 5.22.3 RC3 was released the following day (12th) and Steve Hay said that the final release would probably happen soon, followed shortly by a new www/mod_perl2 release which will fix the problem with it working on Perl 5.22 and newer, so the BROKEN= can be removed from the port's Makefile.

youngunix · Aug 15, 2016

Did this just now:

Code:

# pkg audit -F
vulnxml file up-to-date
perl5-5.20.3_14 is vulnerable:
p5-XSLoader -- local arbitrary code execution
CVE: CVE-2016-6185
WWW: https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html

1 problem(s) in the installed packages found.

Ports are up to date;

Code:

 '/usr/ports': At revision 420207.

Seems the issue is still being worked out.

Terry_Kennedy · Aug 15, 2016

youngunix said:
Did this just now:

Code:

perl5-5.20.3_14 is vulnerable: p5-XSLoader -- local arbitrary code execution CVE: CVE-2016-6185 WWW: https://vuxml.FreeBSD.org/freebsd/3e08047f-5a6c-11e6-a6c3-14dae9d210b8.html

Seems the issue is still being worked out.

The FreeBSD vuxml file has marked all versions of Perl 5.18 and 5.20 vulnerable:

Code:

5.18 <= perl5 < 5.18.99 
5.20 <= perl5 < 5.20.99

Per the upstream, Perl < 5.22 is end-of-life:

perldoc perlpolicy said:
We "officially" support the two most recent stable release series. 5.20.x and earlier are now out of support. As of the release of 5.26.0, we will "officially" end support for Perl 5.22.x, other than providing security updates as described below.

The exact dates are in the cpan README:

cpan README said:
5.20 5.20.3 End of life 2015-09-12 perl-5.20.3.tar.gz
5.18 5.18.4 End of life 2014-10-02 perl-5.18.4.tar.gz

So, I'd treat the vuxml warning as a suggestion to upgrade to 5.22.3 or newer as soon as it is released. At some point, the port maintainers are going to put a "Warning - EoL by upstream - this port will be removed around mm/dd/yy" warning in the older version Makefiles.

theis · Aug 17, 2016

But isn't the default perl version 5.20?

Terry_Kennedy · Aug 17, 2016

theis said:
But isn't the default perl version 5.20?

Yes, at least as of r417899. I'm just another user and I'm not aware of how the port maintainer(s) plan to deal with this. I'd expect something to happen once the upstream Perl releases happen.

theis · Aug 17, 2016

I have submitted a bug report https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211930 to change the default version.

sidetone · Aug 20, 2016

The Vulnxml vulnerability warning is gone. It looks like it's fixed.