Stay Secure with the Latest Linux Advisories

security advisorymedium severityinput validation

Arch Linux: ASA-201603-9 Medium Severity: Perl Improper Input Validation

The package perl before version 5.22.1-2 is vulnerable to improper input validation leading to malicious environment variable propagation. . Arch Linux Security Advisory ASA-201603-9 ======================================== Severity: Medium Date : 2016-03-10 CVE-ID : CVE-2016-2381 Package : perl Type : improper input validation Remote : Yes Link : https://wiki.archlinux.org/title/CVE Summary ====== The package perl before version 5.22.1-2 is vulnerable to improper input validation leading to malicious environment variable propagation. Resolution ========= Upgrade to 5.22.1-2. # pacman -Syu "perl> =5.22.1-2" The problem has been fixed upstream in version 5.22.1. Workaround ========= None. Description ========== Stephane Chazelas discovered a bug in the environment handling in Perl. Perl provides a Perl-space hash variable, %ENV, in which environment variables can be looked up. If a variable appears twice in envp, only the last value would appear in %ENV, but getenv would return the first. Perl's taint security mechanism would be applied to the value in %ENV, but not to the other rest of the environment. This could result in an ambiguous environment causing environment variables to be propagated to subprocesses, despite the protections supposedly offered by taint checking. Impact ===== A remote attacker is able to bypass the taint checking and propagate malicious environment variables to subprocesses. References ========= https://access.redhat.com/security/cve/CVE-2016-2381 https://bugs.archlinux.org/task/48482 . Ubuntu Security Notice USN-3345-1 highlights a vulnerability in OpenSSL found in versions prior to 1.1.0g. This issue may allow remote attackers to exploit weaknesses in secure communications.. Input Validation, Perl Security, Arch Linux Advisory. . Severity: Medium. LinuxSecurity.com Team

Mar 10, 2016 •Medium ArchLinux