FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

perl -- local arbitrary code execution

Affected packages
perl5 < 5.18.4_23
5.20 <= perl5 < 5.20.3_14
5.21 <= perl5 < 5.22.3.r2
5.23 <= perl5 < 5.24.1.r2
5.25 <= perl5 < 5.25.3.18
perl5-devel < 5.18.4_23
5.20 <= perl5-devel < 5.20.3_14
5.21 <= perl5-devel < 5.22.3.r2
5.23 <= perl5-devel < 5.24.1.r2
5.25 <= perl5-devel < 5.25.3.18
perl5.18 < 5.18.4_23
5.20 <= perl5.18 < 5.20.3_14
5.21 <= perl5.18 < 5.22.3.r2
5.23 <= perl5.18 < 5.24.1.r2
5.25 <= perl5.18 < 5.25.3.18
perl5.20 < 5.18.4_23
5.20 <= perl5.20 < 5.20.3_14
5.21 <= perl5.20 < 5.22.3.r2
5.23 <= perl5.20 < 5.24.1.r2
5.25 <= perl5.20 < 5.25.3.18
perl5.22 < 5.18.4_23
5.20 <= perl5.22 < 5.20.3_14
5.21 <= perl5.22 < 5.22.3.r2
5.23 <= perl5.22 < 5.24.1.r2
5.25 <= perl5.22 < 5.25.3.18
perl5.24 < 5.18.4_23
5.20 <= perl5.24 < 5.20.3_14
5.21 <= perl5.24 < 5.22.3.r2
5.23 <= perl5.24 < 5.24.1.r2
5.25 <= perl5.24 < 5.25.3.18
0 <= perl

Details

VuXML ID 72bfbb09-5a6a-11e6-a6c3-14dae9d210b8
Discovery 2016-07-21
Entry 2016-08-04
Modified 2016-08-22

Sawyer X reports:

Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

References

CVE Name CVE-2016-1238
URL http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html