Arch Linux Security Advisory ASA-201603-9 ========================================= Severity: Medium Date : 2016-03-10 CVE-ID : CVE-2016-2381 Package : perl Type : improper input validation Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package perl before version 5.22.1-2 is vulnerable to improper input validation leading to malicious environment variable propagation. Resolution ========== Upgrade to 5.22.1-2. # pacman -Syu "perl>=5.22.1-2" The problem has been fixed upstream in version 5.22.1. Workaround ========== None. Description =========== Stephane Chazelas discovered a bug in the environment handling in Perl. Perl provides a Perl-space hash variable, %ENV, in which environment variables can be looked up. If a variable appears twice in envp, only the last value would appear in %ENV, but getenv would return the first. Perl's taint security mechanism would be applied to the value in %ENV, but not to the other rest of the environment. This could result in an ambiguous environment causing environment variables to be propagated to subprocesses, despite the protections supposedly offered by taint checking. Impact ====== A remote attacker is able to bypass the taint checking and propagate malicious environment variables to subprocesses. References ========== https://access.redhat.com/security/cve/CVE-2016-2381 https://bugs.archlinux.org/task/48482 http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a