Bug #130690 for AnyEvent: security vulnerabilities discovered on AnyEvent modules

Sat Oct 12 02:35:42 2019 biejunh [...] cn.ibm.com - Ticket created

Subject:	security vulnerabilities discovered on AnyEvent modules
Date:	Sat, 12 Oct 2019 05:46:56 +0000
To:	bug-AnyEvent [...] rt.cpan.org
From:	"Jun Hua Bie" <biejunh [...] cn.ibm.com>

Hello CPAN bug team, We are using Strawberry Perl 5.30.0.1 and some Perl modules on our application, according to company's security policy, we ran static code scanning for these open source code, but some security vulnerabilities are discovered during scanning. Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266) 32 CWE: 266 API: Missing Setuid Caller: src\perl32\site\lib\AnyEvent\Util.pm at line 725 call :close ($_) src\perl32\site\lib\AnyEvent\Handle.pm at line 264 call write (triggered when nothing was read I<OR> written) src\perl32\site\lib\AnyEvent\Handle.pm at line 265 call read (triggered when nothing was read) src\perl32\site\lib\AnyEvent\Handle.pm at line 1980 call read (and buffer) src\perl32\site\lib\AnyEvent\Handle.pm at line 2083 call :read ($self->{tls}) src\perl32\site\lib\AnyEvent\Util.pm at line 450 call :close ($_) src\perl32\site\lib\AnyEvent\Util.pm at line 459 call :close ($_) src\perl64\site\lib\AnyEvent\Handle.pm at line 264 call write (triggered when nothing was read I<OR> written) src\perl64\site\lib\AnyEvent\Handle.pm at line 265 call read (triggered when nothing was read) src\perl64\site\lib\AnyEvent\Handle.pm at line 2070 call :write ($self->{tls}, $self->{_tls_wbuf}) src\perl64\site\lib\AnyEvent\Handle.pm at line 1980 call read (and buffer) src\perl64\site\lib\AnyEvent\Handle.pm at line 2083 call :read ($self->{tls}) src\perl64\site\lib\AnyEvent\Util.pm at line 450 call :close ($_) src\perl64\site\lib\AnyEvent\Util.pm at line 459 call :close ($_) src\perl64\site\lib\AnyEvent\Util.pm at line 725 call :close ($_) src\perl32\site\lib\AnyEvent\Handle.pm at line 2070 call :write ($self->{tls}, $self->{_tls_wbuf}) For the details, please refer to following reporting: Do you have any solution to fix these security issues ? It is very urgent for us to fix these issues for our project, could you take it as high priority ? Thanks in advance ! Note: CPAN module AnyEvent-7.16 is used for our applications. Best Regards, Jun Hua Bie Senior IT Specialist Global Technical Service IBM Service Mobile: +86-138-2370-2390 mailto:biejunh@cn.ibm.com

Message body is not shown because sender requested not to inline it.

Sat Oct 12 06:18:56 2019 mcgrath.martin [...] gmail.com - Correspondence added

On Sat Oct 12 07:35:42 2019, biejunh@cn.ibm.com wrote: Show quoted text

> Hello CPAN bug team, > > We are using Strawberry Perl 5.30.0.1 and some Perl modules on our > application, according to company's security policy, we ran static code > scanning for these open source code, but some security vulnerabilities are > discovered during scanning. > Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266) 32 > CWE: 266 > API: Missing Setuid > Caller: > src\perl32\site\lib\AnyEvent\Util.pm at line 725 call :close > ($_) > src\perl32\site\lib\AnyEvent\Handle.pm at line 264 call write > (triggered when nothing was read I<OR> written) > src\perl32\site\lib\AnyEvent\Handle.pm at line 265 call read > (triggered when nothing was read) > src\perl32\site\lib\AnyEvent\Handle.pm at line 1980 call read (and > buffer) > src\perl32\site\lib\AnyEvent\Handle.pm at line 2083 call :read > ($self->{tls}) > src\perl32\site\lib\AnyEvent\Util.pm at line 450 call :close > ($_) > src\perl32\site\lib\AnyEvent\Util.pm at line 459 call :close > ($_) > src\perl64\site\lib\AnyEvent\Handle.pm at line 264 call write > (triggered when nothing was read I<OR> written) > src\perl64\site\lib\AnyEvent\Handle.pm at line 265 call read > (triggered when nothing was read) > src\perl64\site\lib\AnyEvent\Handle.pm at line 2070 call :write > ($self->{tls}, $self->{_tls_wbuf}) > src\perl64\site\lib\AnyEvent\Handle.pm at line 1980 call read (and > buffer) > src\perl64\site\lib\AnyEvent\Handle.pm at line 2083 call :read > ($self->{tls}) > src\perl64\site\lib\AnyEvent\Util.pm at line 450 call :close > ($_) > src\perl64\site\lib\AnyEvent\Util.pm at line 459 call :close > ($_) > src\perl64\site\lib\AnyEvent\Util.pm at line 725 call :close > ($_) > src\perl32\site\lib\AnyEvent\Handle.pm at line 2070 call :write > ($self->{tls}, $self->{_tls_wbuf}) > > For the details, please refer to following reporting: > > > > Do you have any solution to fix these security issues ? It is very > urgent for us to fix these issues for our project, could you take it as > high priority ? > Thanks in advance ! > > Note: CPAN module AnyEvent-7.16 is used for our applications. > > Best Regards, > Jun Hua Bie > Senior IT Specialist > Global Technical Service > IBM Service > Mobile: +86-138-2370-2390 > mailto:biejunh@cn.ibm.com >

See the update to your other ticket regarding the AnyEvent queue: https://rt.cpan.org/Ticket/Display.html?id=130693

Sat Oct 12 06:18:58 2019 The RT System itself - Status changed from 'new' to 'open'

Mon Oct 14 02:57:27 2019 biejunh [...] cn.ibm.com - Correspondence added

Subject:	Re: [rt.cpan.org #130690] security vulnerabilities discovered on AnyEvent modules
Date:	Mon, 14 Oct 2019 14:57:07 +0800
To:	bug-AnyEvent [...] rt.cpan.org
From:	"Jun Hua Bie" <biejunh [...] cn.ibm.com>

Hello team, Which email address I should used for the bug of AnyEvent modules ? I tried to send the email to following address, but there is no response so far. rt.cpan.org@schmorp.de Best Regards, Jun Hua Bie Senior IT Specialist Global Technical Service IBM Service Mobile: +86-138-2370-2390 mailto:biejunh@cn.ibm.com From: "Martin McGrath via RT" <bug-AnyEvent@rt.cpan.org> To: biejunh@cn.ibm.com Date: 10/12/2019 06:19 PM Subject: [EXTERNAL] [rt.cpan.org #130690] security vulnerabilities discovered on AnyEvent modules <URL: https://urldefense.proofpoint.com/v2/url?u=https-3A__rt.cpan.org_Ticket_Display.html-3Fid-3D130690&d=DwIDaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4MLB-6domc4LM1xvz-t0YzG0kMlwZLc4B-aLJcWPH4o&m=82GiJZ5F11Q8gnR04ENPlWQyFqKXMGw8AoWUbZcM9HM&s=XWAFE0V6BOoVqOa-S3BsqY-InbQ0Nzgrbxne1jSMrRI&e= Show quoted text

>

On Sat Oct 12 07:35:42 2019, biejunh@cn.ibm.com wrote: Show quoted text

> Hello CPAN bug team, > > We are using Strawberry Perl 5.30.0.1 and some Perl modules on our > application, according to company's security policy, we ran static code

Show quoted text

> scanning for these open source code, but some security vulnerabilities

are Show quoted text

> discovered during scanning. > Ungrouped Missing Setuid (PrivilegeEscalation, CWE-266) 32 > CWE: 266 > API: Missing Setuid > Caller: > src\perl32\site\lib\AnyEvent\Util.pm at line 725 call :close > ($_) > src\perl32\site\lib\AnyEvent\Handle.pm at line 264 call write > (triggered when nothing was read I<OR> written) > src\perl32\site\lib\AnyEvent\Handle.pm at line 265 call read > (triggered when nothing was read) > src\perl32\site\lib\AnyEvent\Handle.pm at line 1980 call read

(and Show quoted text

> buffer) > src\perl32\site\lib\AnyEvent\Handle.pm at line 2083 call :read > ($self->{tls}) > src\perl32\site\lib\AnyEvent\Util.pm at line 450 call :close > ($_) > src\perl32\site\lib\AnyEvent\Util.pm at line 459 call :close > ($_) > src\perl64\site\lib\AnyEvent\Handle.pm at line 264 call write > (triggered when nothing was read I<OR> written) > src\perl64\site\lib\AnyEvent\Handle.pm at line 265 call read > (triggered when nothing was read) > src\perl64\site\lib\AnyEvent\Handle.pm at line 2070 call :write > ($self->{tls}, $self->{_tls_wbuf}) > src\perl64\site\lib\AnyEvent\Handle.pm at line 1980 call read

(and Show quoted text

> buffer) > src\perl64\site\lib\AnyEvent\Handle.pm at line 2083 call :read > ($self->{tls}) > src\perl64\site\lib\AnyEvent\Util.pm at line 450 call :close > ($_) > src\perl64\site\lib\AnyEvent\Util.pm at line 459 call :close > ($_) > src\perl64\site\lib\AnyEvent\Util.pm at line 725 call :close > ($_) > src\perl32\site\lib\AnyEvent\Handle.pm at line 2070 call :write > ($self->{tls}, $self->{_tls_wbuf}) > > For the details, please refer to following reporting: > > > > Do you have any solution to fix these security issues ? It is very > urgent for us to fix these issues for our project, could you take it as

Show quoted text

> high priority ? > Thanks in advance ! > > Note: CPAN module AnyEvent-7.16 is used for our applications. > > Best Regards, > Jun Hua Bie > Senior IT Specialist > Global Technical Service > IBM Service > Mobile: +86-138-2370-2390 > mailto:biejunh@cn.ibm.com >

See the update to your other ticket regarding the AnyEvent queue: https://urldefense.proofpoint.com/v2/url?u=https-3A__rt.cpan.org_Ticket_Display.html-3Fid-3D130693&d=DwIDaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=4MLB-6domc4LM1xvz-t0YzG0kMlwZLc4B-aLJcWPH4o&m=82GiJZ5F11Q8gnR04ENPlWQyFqKXMGw8AoWUbZcM9HM&s=_C8_2ALFNBkjhdzQrYOed_JYmKBNKalnWy2o3regL6E&e=