CVE-2016-1238

Description

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

CVSS Metrics

• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.2AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 0.32%• Percentile: 55%

Techniques & Countermeasures

• CWE-264•Permissions, Privileges, and Access Controls

  Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Affected Systems

• apache•spamassassin

  < 3.4.2

• debian•debian_linux

  8.0

• fedoraproject•fedora

  23 | 24

• opensuse•leap

  15.0

• perl•perl

  1.0.15 | 1.0.16 | 5.000 | 5.000o | 5.001 | 5.001n | 5.002 | 5.002_01 | 5.003 | 5.003_01 | 5.003_02 | 5.003_03 | 5.003_04 | 5.003_05 | 5.003_07 | 5.003_08 | 5.003_09 | 5.003_10 | 5.003_11 | 5.003_12 | 5.003_13 | 5.003_14 | 5.003_15 | 5.003_16 | 5.003_17 | 5.003_18 | 5.003_19 | 5.003_20 | 5.003_21 | 5.003_22 | 5.003_23 | 5.003_24 | 5.003_25 | 5.003_26 | 5.003_27 | 5.003_28 | 5.003_90 | 5.003_91 | 5.003_92 | 5.003_93 | 5.003_94 | 5.003_95 | 5.003_96 | 5.003_97 | 5.003_97a | 5.003_97b | 5.003_97c | 5.003_97d | 5.003_97e | 5.003_97f | 5.003_97g | 5.003_97h | 5.003_97i | 5.003_97j | 5.003_98 | 5.003_99 | 5.003_99a | 5.004 | 5.004_01 | 5.004_02 | 5.004_03 | 5.004_04 | 5.004_05 | 5.005 | 5.005_01 | 5.005_02 | 5.005_03 | 5.005_04 | 5.6 | 5.6.0 | 5.6.1 | 5.6.2 | 5.7.3 | 5.8 | 5.8.0 | 5.8.1 | 5.8.2 | 5.8.3 | 5.8.4 | 5.8.5 | 5.8.6 | 5.8.7 | 5.8.8 | 5.8.9 | 5.8.9:rc1 | 5.9.0 | 5.9.1 | 5.9.2 | 5.9.3 | 5.9.4 | 5.9.5 | 5.10 | 5.10.0 | 5.10.1 | 5.10.1:rc1 | 5.10.1:rc2 | 5.11.0 | 5.11.1 | 5.11.2 | 5.11.3 | 5.11.4 | 5.11.5 | 5.12.0 | 5.12.0:rc0 | 5.12.0:rc1 | 5.12.0:rc2 | 5.12.0:rc3 | 5.12.0:rc4 | 5.12.0:rc5 | 5.12.1 | 5.12.1:rc0 | 5.12.1:rc1 | 5.12.1:rc2 | 5.12.2 | 5.12.2:rc1 | 5.12.3 | 5.12.3:rc1 | 5.12.3:rc2 | 5.12.3:rc3 | 5.12.4 | 5.12.4:rc1 | 5.12.4:rc2 | 5.12.5 | 5.12.5:rc1 | 5.12.5:rc2 | 5.13.0 | 5.13.1 | 5.13.2 | 5.13.3 | 5.13.4 | 5.13.5 | 5.13.6 | 5.13.7 | 5.13.8 | 5.13.9 | 5.13.10 | 5.13.11 | 5.14.0 | 5.14.0:rc1 | 5.14.0:rc2 | 5.14.0:rc3 | 5.14.1 | 5.14.1:rc1 | 5.14.2 | 5.14.2:rc1 | 5.14.3 | 5.14.3:rc1 | 5.14.3:rc2 | 5.14.4 | 5.14.4:rc1 | 5.14.4:rc2 | 5.15.0 | 5.15.1 | 5.15.2 | 5.15.3 | 5.15.4 | 5.15.5 | 5.15.6 | 5.15.7 | 5.15.8 | 5.15.9 | 5.16.0 | 5.16.0:rc1 | 5.16.0:rc2 | 5.16.1 | 5.16.2 | 5.16.3 | 5.16.3:rc1 | 5.17.0 | 5.17.1 | 5.17.2 | 5.17.3 | 5.17.4 | 5.17.5 | 5.17.6 | 5.17.7 | 5.17.7.0 | 5.17.8 | 5.17.9 | 5.17.10 | 5.17.11 | 5.18.0 | 5.18.0:rc1 | 5.18.0:rc2 | 5.18.0:rc3 | 5.18.0:rc4 | 5.18.1 | 5.18.2 | 5.18.2:rc1 | 5.18.2:rc2 | 5.18.2:rc3 | 5.18.2:rc4 | 5.18.3 | 5.18.3:rc1 | 5.18.3:rc2 | 5.18.4 | 5.19.0 | 5.19.1 | 5.19.2 | 5.19.3 | 5.19.4 | 5.19.5 | 5.19.6 | 5.19.7 | 5.19.8 | 5.19.9 | 5.19.10 | 5.19.11 | 5.20.0 | 5.20.0:rc1 | 5.20.1 | 5.20.1:rc1 | 5.20.1:rc2 | 5.20.2 | 5.20.2:rc1 | 5.20.3 | 5.20.3:rc1 | 5.20.3:rc2 | 5.21.0 | 5.21.1 | 5.21.2 | 5.21.3 | 5.21.4 | 5.21.5 | 5.21.6 | 5.21.7 | 5.21.8 | 5.21.9 | 5.21.10 | 5.21.11 | 5.22.0 | 5.22.0:rc1 | 5.22.0:rc2 | 5.22.1 | 5.22.1:rc1 | 5.22.1:rc2 | 5.22.1:rc3 | 5.22.1:rc4 | 5.22.2 | 5.22.2:rc1 | 5.22.3:rc1 | 5.24.0 | 5.24.0:rc1 | 5.24.0:rc2 | 5.24.0:rc3 | 5.24.0:rc4 | 5.24.0:rc5 | 5.24.1:rc1

References (15)

• https://security.gentoo.org/glsa/201701-75
• https://security.gentoo.org/glsa/201812-07
• http://perl5.git.perl.org/perl.git/commit/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab
• http://www.securitytracker.com/id/1036440
• http://www.debian.org/security/2016/dsa-3628
• https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c%40%3Cannounce.apache.org%3E
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZBNQH3DMI7HDELJAZ4TFJJANHXOEDWH/
• http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2FBQOCV3GBAN2EYZUM3CFDJ4ECA3GZOK/
• https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOFRQWJRP2NQJEYEWOMECVW3HAMD5SYN/
• http://www.securityfocus.com/bid/92136
• https://lists.debian.org/debian-lts-announce/2018/11/msg00016.html
• https://rt.perl.org/Public/Bug/Display.html?id=127834
• http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00002.html