Skip Menu |

This queue is for tickets about the AnyEvent CPAN distribution.

Report information
The Basics
Id: 130690
Status: open
Priority: 0/
Queue: AnyEvent

People
Owner: Nobody in particular
Requestors: biejunh [...] cn.ibm.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: security vulnerabilities discovered on AnyEvent modules
Date: Sat, 12 Oct 2019 05:46:56 +0000
To: bug-AnyEvent [...] rt.cpan.org
From: "Jun Hua Bie" <biejunh [...] cn.ibm.com>
Hello CPAN bug team, We are using Strawberry Perl 5.30.0.1 and some Perl modules on our application, according to company's security policy, we ran static code scanning for these open source code, but some security vulnerabilities are discovered during scanning. Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266) 32 CWE: 266 API: Missing Setuid Caller: src\perl32\site\lib\AnyEvent\Util.pm at line 725 call :close ($_) src\perl32\site\lib\AnyEvent\Handle.pm at line 264 call write (triggered when nothing was read I<OR> written) src\perl32\site\lib\AnyEvent\Handle.pm at line 265 call read (triggered when nothing was read) src\perl32\site\lib\AnyEvent\Handle.pm at line 1980 call read (and buffer) src\perl32\site\lib\AnyEvent\Handle.pm at line 2083 call :read ($self->{tls}) src\perl32\site\lib\AnyEvent\Util.pm at line 450 call :close ($_) src\perl32\site\lib\AnyEvent\Util.pm at line 459 call :close ($_) src\perl64\site\lib\AnyEvent\Handle.pm at line 264 call write (triggered when nothing was read I<OR> written) src\perl64\site\lib\AnyEvent\Handle.pm at line 265 call read (triggered when nothing was read) src\perl64\site\lib\AnyEvent\Handle.pm at line 2070 call :write ($self->{tls}, $self->{_tls_wbuf}) src\perl64\site\lib\AnyEvent\Handle.pm at line 1980 call read (and buffer) src\perl64\site\lib\AnyEvent\Handle.pm at line 2083 call :read ($self->{tls}) src\perl64\site\lib\AnyEvent\Util.pm at line 450 call :close ($_) src\perl64\site\lib\AnyEvent\Util.pm at line 459 call :close ($_) src\perl64\site\lib\AnyEvent\Util.pm at line 725 call :close ($_) src\perl32\site\lib\AnyEvent\Handle.pm at line 2070 call :write ($self->{tls}, $self->{_tls_wbuf}) For the details, please refer to following reporting: Do you have any solution to fix these security issues ? It is very urgent for us to fix these issues for our project, could you take it as high priority ? Thanks in advance ! Note: CPAN module AnyEvent-7.16 is used for our applications. Best Regards, Jun Hua Bie Senior IT Specialist Global Technical Service IBM Service Mobile: +86-138-2370-2390 mailto:biejunh@cn.ibm.com

Message body is not shown because sender requested not to inline it.

On Sat Oct 12 07:35:42 2019, biejunh@cn.ibm.com wrote: Show quoted text
> Hello CPAN bug team, > > We are using Strawberry Perl 5.30.0.1 and some Perl modules on our > application, according to company's security policy, we ran static code > scanning for these open source code, but some security vulnerabilities are > discovered during scanning. > Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266) 32 > CWE: 266 > API: Missing Setuid > Caller: > src\perl32\site\lib\AnyEvent\Util.pm at line 725 call :close > ($_) > src\perl32\site\lib\AnyEvent\Handle.pm at line 264 call write > (triggered when nothing was read I<OR> written) > src\perl32\site\lib\AnyEvent\Handle.pm at line 265 call read > (triggered when nothing was read) > src\perl32\site\lib\AnyEvent\Handle.pm at line 1980 call read (and > buffer) > src\perl32\site\lib\AnyEvent\Handle.pm at line 2083 call :read > ($self->{tls}) > src\perl32\site\lib\AnyEvent\Util.pm at line 450 call :close > ($_) > src\perl32\site\lib\AnyEvent\Util.pm at line 459 call :close > ($_) > src\perl64\site\lib\AnyEvent\Handle.pm at line 264 call write > (triggered when nothing was read I<OR> written) > src\perl64\site\lib\AnyEvent\Handle.pm at line 265 call read > (triggered when nothing was read) > src\perl64\site\lib\AnyEvent\Handle.pm at line 2070 call :write > ($self->{tls}, $self->{_tls_wbuf}) > src\perl64\site\lib\AnyEvent\Handle.pm at line 1980 call read (and > buffer) > src\perl64\site\lib\AnyEvent\Handle.pm at line 2083 call :read > ($self->{tls}) > src\perl64\site\lib\AnyEvent\Util.pm at line 450 call :close > ($_) > src\perl64\site\lib\AnyEvent\Util.pm at line 459 call :close > ($_) > src\perl64\site\lib\AnyEvent\Util.pm at line 725 call :close > ($_) > src\perl32\site\lib\AnyEvent\Handle.pm at line 2070 call :write > ($self->{tls}, $self->{_tls_wbuf}) > > For the details, please refer to following reporting: > > > > Do you have any solution to fix these security issues ? It is very > urgent for us to fix these issues for our project, could you take it as > high priority ? > Thanks in advance ! > > Note: CPAN module AnyEvent-7.16 is used for our applications. > > Best Regards, > Jun Hua Bie > Senior IT Specialist > Global Technical Service > IBM Service > Mobile: +86-138-2370-2390 > mailto:biejunh@cn.ibm.com >
See the update to your other ticket regarding the AnyEvent queue: https://rt.cpan.org/Ticket/Display.html?id=130693
Subject: Re: [rt.cpan.org #130690] security vulnerabilities discovered on AnyEvent modules
Date: Mon, 14 Oct 2019 14:57:07 +0800
To: bug-AnyEvent [...] rt.cpan.org
From: "Jun Hua Bie" <biejunh [...] cn.ibm.com>
Hello team, Which email address I should used for the bug of AnyEvent modules ? I tried to send the email to following address, but there is no response so far. rt.cpan.org@schmorp.de Best Regards, Jun Hua Bie Senior IT Specialist Global Technical Service IBM Service Mobile: +86-138-2370-2390 mailto:biejunh@cn.ibm.com From: "Martin McGrath via RT" <bug-AnyEvent@rt.cpan.org> To: biejunh@cn.ibm.com Date: 10/12/2019 06:19 PM Subject: [EXTERNAL] [rt.cpan.org #130690] security vulnerabilities discovered on AnyEvent modules <URL: https://urldefense.proofpoint.com/v2/url?u=https-3A__rt.cpan.org_Ticket_Display.html-3Fid-3D130690&d=DwIDaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4MLB-6domc4LM1xvz-t0YzG0kMlwZLc4B-aLJcWPH4o&m=82GiJZ5F11Q8gnR04ENPlWQyFqKXMGw8AoWUbZcM9HM&s=XWAFE0V6BOoVqOa-S3BsqY-InbQ0Nzgrbxne1jSMrRI&e= Show quoted text
>
On Sat Oct 12 07:35:42 2019, biejunh@cn.ibm.com wrote: Show quoted text
> Hello CPAN bug team, > > We are using Strawberry Perl 5.30.0.1 and some Perl modules on our > application, according to company's security policy, we ran static code
Show quoted text
> scanning for these open source code, but some security vulnerabilities
are Show quoted text
> discovered during scanning. > Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266) 32 > CWE: 266 > API: Missing Setuid > Caller: > src\perl32\site\lib\AnyEvent\Util.pm at line 725 call :close > ($_) > src\perl32\site\lib\AnyEvent\Handle.pm at line 264 call write > (triggered when nothing was read I<OR> written) > src\perl32\site\lib\AnyEvent\Handle.pm at line 265 call read > (triggered when nothing was read) > src\perl32\site\lib\AnyEvent\Handle.pm at line 1980 call read
(and Show quoted text
> buffer) > src\perl32\site\lib\AnyEvent\Handle.pm at line 2083 call :read > ($self->{tls}) > src\perl32\site\lib\AnyEvent\Util.pm at line 450 call :close > ($_) > src\perl32\site\lib\AnyEvent\Util.pm at line 459 call :close > ($_) > src\perl64\site\lib\AnyEvent\Handle.pm at line 264 call write > (triggered when nothing was read I<OR> written) > src\perl64\site\lib\AnyEvent\Handle.pm at line 265 call read > (triggered when nothing was read) > src\perl64\site\lib\AnyEvent\Handle.pm at line 2070 call :write > ($self->{tls}, $self->{_tls_wbuf}) > src\perl64\site\lib\AnyEvent\Handle.pm at line 1980 call read
(and Show quoted text
> buffer) > src\perl64\site\lib\AnyEvent\Handle.pm at line 2083 call :read > ($self->{tls}) > src\perl64\site\lib\AnyEvent\Util.pm at line 450 call :close > ($_) > src\perl64\site\lib\AnyEvent\Util.pm at line 459 call :close > ($_) > src\perl64\site\lib\AnyEvent\Util.pm at line 725 call :close > ($_) > src\perl32\site\lib\AnyEvent\Handle.pm at line 2070 call :write > ($self->{tls}, $self->{_tls_wbuf}) > > For the details, please refer to following reporting: > > > > Do you have any solution to fix these security issues ? It is very > urgent for us to fix these issues for our project, could you take it as
Show quoted text
> high priority ? > Thanks in advance ! > > Note: CPAN module AnyEvent-7.16 is used for our applications. > > Best Regards, > Jun Hua Bie > Senior IT Specialist > Global Technical Service > IBM Service > Mobile: +86-138-2370-2390 > mailto:biejunh@cn.ibm.com >
See the update to your other ticket regarding the AnyEvent queue: https://urldefense.proofpoint.com/v2/url?u=https-3A__rt.cpan.org_Ticket_Display.html-3Fid-3D130693&d=DwIDaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4MLB-6domc4LM1xvz-t0YzG0kMlwZLc4B-aLJcWPH4o&m=82GiJZ5F11Q8gnR04ENPlWQyFqKXMGw8AoWUbZcM9HM&s=_C8_2ALFNBkjhdzQrYOed_JYmKBNKalnWy2o3regL6E&e=