Bug #116539 for JSON-PP: CVE-2016-1238: avoid loading optional modules from default .

Wed Jul 27 21:18:37 2016 TONYC [...] cpan.org - Ticket created

Subject:

CVE-2016-1238: avoid loading optional modules from default .

JSON::PP treats Scalar::Util as optional and may load Encode, which treats Encode::ConfigLocal as optional. With the default . in @INC, and if Encode::ConfigLocal is not in the default locations, an attacker can create for example /tmp/Encode/ConfigLocal.pm, and if a process using JSON::PP is started from /tmp, perl will run the attacker's code. The change to json_pp is purely precautionary. Patch also available as a pull request at: https://github.com/makamaka/JSON-PP/pull/25 Tony

Subject:

0001-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch

From 869cca1a100a1081676f17a3af95457fc3f146cb Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Thu, 28 Jul 2016 11:16:43 +1000 Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default . JSON::PP treats Scalar::Util as optional and may load Encode, which treats Encode::ConfigLocal as optional. With the default . in @INC, and if Encode::ConfigLocal is not in the default locations, an attacker can create for example /tmp/Encode/ConfigLocal.pm, and if a process using JSON::PP is started from /tmp, perl will run the attacker's code. The change to json_pp is purely precautionary. The changes to JSON:PP were not included in the recent security patches since Scalar::Util is always available, and Encode was patched to prevent the problem there. --- bin/json_pp | 1 + lib/JSON/PP.pm | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/bin/json_pp b/bin/json_pp index 3362dec..39bed4d 100644 --- a/bin/json_pp +++ b/bin/json_pp @@ -1,5 +1,6 @@ #!/usr/bin/perl +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use Getopt::Long; diff --git a/lib/JSON/PP.pm b/lib/JSON/PP.pm index 2d27e78..555f6fc 100644 --- a/lib/JSON/PP.pm +++ b/lib/JSON/PP.pm @@ -1271,6 +1271,8 @@ sub _decode_unicode { BEGIN { unless ( defined &utf8::is_utf8 ) { + local @INC = @INC; + pop @INC if $INC[-1] eq '.'; require Encode; *utf8::is_utf8 = *Encode::is_utf8; } @@ -1332,6 +1334,8 @@ BEGIN { # BEGIN { + local @INC = @INC; + pop @INC if $INC[-1] eq '.'; eval 'require Scalar::Util'; unless($@){ *JSON::PP::blessed = \&Scalar::Util::blessed; -- 2.1.4

Sat Aug 27 10:15:02 2016 ishigaki [...] cpan.org - Correspondence added

On Thu Jul 28 10:18:37 2016, TONYC wrote: Show quoted text

> JSON::PP treats Scalar::Util as optional and may load Encode, which > treats Encode::ConfigLocal as optional. > > With the default . in @INC, and if Encode::ConfigLocal is not in > the default locations, an attacker can create for example > /tmp/Encode/ConfigLocal.pm, and if a process using JSON::PP is started > from /tmp, perl will run the attacker's code. > > The change to json_pp is purely precautionary. > > Patch also available as a pull request at: > > https://github.com/makamaka/JSON-PP/pull/25 > > Tony

Thanks. Applied.

Sat Aug 27 10:15:03 2016 The RT System itself - Status changed from 'new' to 'open'

Sat Aug 27 10:15:08 2016 ishigaki [...] cpan.org - Status changed from 'open' to 'patched'

Tue Jun 20 03:14:52 2017 ishigaki [...] cpan.org - Correspondence added

On Sat Aug 27 23:15:02 2016, ISHIGAKI wrote: Show quoted text

> On Thu Jul 28 10:18:37 2016, TONYC wrote:

> > JSON::PP treats Scalar::Util as optional and may load Encode, which > > treats Encode::ConfigLocal as optional. > > > > With the default . in @INC, and if Encode::ConfigLocal is not in > > the default locations, an attacker can create for example > > /tmp/Encode/ConfigLocal.pm, and if a process using JSON::PP is started > > from /tmp, perl will run the attacker's code. > > > > The change to json_pp is purely precautionary. > > > > Patch also available as a pull request at: > > > > https://github.com/makamaka/JSON-PP/pull/25 > > > > Tony

> > Thanks. Applied.

Closed as 2.92 was released. Thanks.

Tue Jun 20 03:14:57 2017 ishigaki [...] cpan.org - Status changed from 'patched' to 'resolved'