Bug#829138: liblist-moreutils-perl: tries to load code from cwd

Niko Tyni ntyni at debian.org
Mon Jul 4 12:11:36 UTC 2016 

clone 829138 -1
retitle -1 perl: XSLoader tries to load code from '(eval 1)/' when called inside a string eval
reassign -1 perl 5.22.2-1
tag -1 patch fixed-upstream
severity -1 important
tag 829138 patch
thanks

On Thu, Jun 30, 2016 at 11:28:51PM +0200, Jakub Wilk wrote:
> Package: liblist-moreutils-perl
> Version: 0.413-1+b1
> Tags: security
> Control: affects -1 + check-all-the-things
> 
> List::MoreUtils tries to load code from a subdirectory of the current
> working directory. This could lead to execution of arbitrary code if cwd is
> untrusted.

Thanks for the report.

As discussed in the upstream ticket, the root cause is XSLoader, which
uses caller() information to locate the .so file to load. This can be
incorrect if XSLoader::load() is called in a string eval.

  https://rt.cpan.org/Ticket/Display.html?id=115808

I'm cloning a separate bug against perl about this; XSLoader
is already fixed upstream with

 http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7

There's a simple workaround for List::MoreUtils in the upstream ticket
included below. I think we should apply this in any case as it improves
the diagnostics.

I'm setting the severity of the XSLoader bug to 'important';
the circumstances are rare enough that I don't think it should be
release-critical at this point as long as List-MoreUtils gets patched.

I'll still try to fix it in perl soon, and we can revisit this if other
packages turn out to be affected.

diff -rup List-MoreUtils-0.415-sba79Z-orig/lib/List/MoreUtils/XS.pm List-MoreUtils-0.415-sba79Z/lib/List/MoreUtils/XS.pm
--- List-MoreUtils-0.415-sba79Z-orig/lib/List/MoreUtils/XS.pm   2016-05-01 09:47:00.000000000 -0700
+++ List-MoreUtils-0.415-sba79Z/lib/List/MoreUtils/XS.pm    2016-07-03 11:02:41.000000000 -0700
@@ -13,6 +13,7 @@ BEGIN
     # Load the XS at compile-time so that redefinition warnings will be
     # thrown correctly if the XS versions of part or indexes loaded
     my $ldr = <<EOLDR;
+#line ${\(__LINE__+1 . " " . __FILE__)}
    package List::MoreUtils;
 
    # PERL_DL_NONLAZY must be false, or any errors in loading will just

-- 
Niko Tyni   ntyni at debian.org

More information about the pkg-perl-maintainers mailing list