Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

command installed: change audited module version range #62

Closed
wants to merge 1 commit into from
Closed

command installed: change audited module version range #62

wants to merge 1 commit into from

Conversation

sparrow2009
Copy link

@sparrow2009 sparrow2009 commented Sep 9, 2024
edited by briandfoy
Loading

When auditing installed modules with command "installed" the audited version range is $version. This results in false positives for modules having advisories with an affected version range >=$version_affected assigned where $version < $version_affected.

This commit changes the audited version range to ==$version.

command installed: change audited module version range
a161e96 
When auditing installed modules with command "installed" the audited version range is "$version".
This results in false positives for modules having advisories with an affected version range
">=$version_affected" assigned where $version < $version_affected.

This commit changes the audited version range to "==$version".
@briandfoy briandfoy self-assigned this Sep 9, 2024
@briandfoy briandfoy added Priority: low get to this whenever Status: needs details the problem description needs more information Status: changes requested adjust the pull request as noted in comments labels Sep 9, 2024
@briandfoy
Copy link
Owner

If there's a problem, it's probably going to be in CPAN::Audit::Query::advisories for, where I find the comment:

# select only the known distribution versions from the database,
# ignoring all others. For example, if $dist_version_range is
# ">5.1", we don't care about any versions less than or equal to 5.1.
# If $dist_version_range is "5.1", that really means ">=5.1"

But, I still don't understand the problem and could use an example of where it fails to figure out if it's working as designed (which might be different than expectations) or if there's something to fix.

@sparrow2009
Copy link
Author

sparrow2009 commented Sep 10, 2024
edited
Loading

I try to illustrate my case. Suppose you have:

perl -v

This is perl 5, version 24, subversion 4 (v5.24.4) built for x86_64-linux
(with 1 registered patch, see perl -V for more detail)
...

Running cpan-audit installed before the patch in question regarding advisories of the distribution perl is equivalent to:

cpan-audit dist perl '5.024004'

(This is actually equivalent to cpan-audit dist perl '>=5.024004' as you pointed out correctly in your comment above.)

And yields 16 advisories:

perl (requires 5.024004) has 16 advisories
  * CPANSA-perl-2018-18313
    Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

    Affected range: <5.26.3
    Fixed range:    >=5.26.3

    CVEs: CVE-2018-18313

    References:
    https://www.debian.org/security/2018/dsa-4347
    https://usn.ubuntu.com/3834-2/
    https://rt.perl.org/Ticket/Display.html?id=133192
    https://metacpan.org/changes/release/SHAY/perl-5.26.3
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
    https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62
    https://bugzilla.redhat.com/show_bug.cgi?id=1646738
    http://www.securitytracker.com/id/1042181
    https://usn.ubuntu.com/3834-1/
    https://access.redhat.com/errata/RHSA-2019:0010
    https://access.redhat.com/errata/RHSA-2019:0001
    https://security.netapp.com/advisory/ntap-20190221-0003/
    https://support.apple.com/kb/HT209600
    https://seclists.org/bugtraq/2019/Mar/42
    http://seclists.org/fulldisclosure/2019/Mar/49
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2018-18311
    Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

    Affected range: <5.28.1
    Fixed range:    >=5.28.1

    CVEs: CVE-2018-18311

    References:
    https://www.debian.org/security/2018/dsa-4347
    https://usn.ubuntu.com/3834-2/
    https://rt.perl.org/Ticket/Display.html?id=133204
    https://metacpan.org/changes/release/SHAY/perl-5.28.1
    https://metacpan.org/changes/release/SHAY/perl-5.26.3
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
    https://lists.debian.org/debian-lts-announce/2018/11/msg00039.html
    https://github.com/Perl/perl5/commit/34716e2a6ee2af96078d62b065b7785c001194be
    https://bugzilla.redhat.com/show_bug.cgi?id=1646730
    http://www.securitytracker.com/id/1042181
    https://usn.ubuntu.com/3834-1/
    http://www.securityfocus.com/bid/106145
    https://access.redhat.com/errata/RHSA-2019:0010
    https://access.redhat.com/errata/RHSA-2019:0001
    https://access.redhat.com/errata/RHSA-2019:0109
    https://security.netapp.com/advisory/ntap-20190221-0003/
    https://support.apple.com/kb/HT209600
    https://seclists.org/bugtraq/2019/Mar/42
    http://seclists.org/fulldisclosure/2019/Mar/49
    https://kc.mcafee.com/corporate/index?page=content&id=SB10278
    https://access.redhat.com/errata/RHBA-2019:0327
    https://access.redhat.com/errata/RHSA-2019:1790
    https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
    https://access.redhat.com/errata/RHSA-2019:1942
    https://access.redhat.com/errata/RHSA-2019:2400
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpuapr2020.html
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2023-47100
    In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

    Affected range: >=5.30.0,<5.36.3
                    >=5.38.0,<5.38.2
    Fixed range:    >=5.38.2

    CVEs: CVE-2023-47100

    References:
    https://github.com/Perl/perl5/commit/ff1f9f59360afeebd6f75ca1502f5c3ebf077da3
    https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
    https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6

  * CPANSA-perl-2018-6797
    An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.

    Affected range: >=5.18.0,<5.28.0
    Fixed range:    >=5.28.0

    CVEs: CVE-2018-6797

    References:
    https://www.debian.org/security/2018/dsa-4172
    https://rt.perl.org/Public/Bug/Display.html?id=132227
    http://www.securitytracker.com/id/1040681
    https://access.redhat.com/errata/RHSA-2018:1192
    https://usn.ubuntu.com/3625-1/
    http://www.securitytracker.com/id/1042004
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2018-6913
    Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

    Affected range: <5.26.2
    Fixed range:    >=5.26.2

    CVEs: CVE-2018-6913

    References:
    https://www.debian.org/security/2018/dsa-4172
    https://rt.perl.org/Public/Bug/Display.html?id=131844
    https://lists.debian.org/debian-lts-announce/2018/04/msg00009.html
    http://www.securitytracker.com/id/1040681
    https://usn.ubuntu.com/3625-2/
    https://usn.ubuntu.com/3625-1/
    http://www.securityfocus.com/bid/103953
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2023-47039
    Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory.
An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

    Affected range: <=5.38.0
    Fixed range:    

    CVEs: CVE-2023-47039

    References:

  * CPANSA-perl-2018-6798
    An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.

    Affected range: >=5.22.0,<5.28.0
    Fixed range:    >=5.28.0

    CVEs: CVE-2018-6798

    References:
    https://www.debian.org/security/2018/dsa-4172
    https://rt.perl.org/Public/Bug/Display.html?id=132063
    http://www.securitytracker.com/id/1040681
    https://access.redhat.com/errata/RHSA-2018:1192
    https://usn.ubuntu.com/3625-1/
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2020-12723
    regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

    Affected range: <5.30.3
    Fixed range:    >=5.30.3

    CVEs: CVE-2020-12723

    References:
    https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
    https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
    https://github.com/Perl/perl5/issues/16947
    https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a
    https://github.com/Perl/perl5/issues/17743
    https://security.netapp.com/advisory/ntap-20200611-0001/
    https://security.gentoo.org/glsa/202006-03
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
    http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
    https://www.oracle.com/security-alerts/cpuoct2020.html
    https://www.oracle.com/security-alerts/cpujan2021.html
    https://www.oracle.com/security-alerts/cpuApr2021.html
    https://www.oracle.com//security-alerts/cpujul2021.html
    https://www.oracle.com/security-alerts/cpuoct2021.html
    https://www.oracle.com/security-alerts/cpujan2022.html
    https://www.oracle.com/security-alerts/cpuapr2022.html

  * CPANSA-perl-2017-12883
    Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape.

    Affected range: <5.26.1
    Fixed range:    >=5.26.1

    CVEs: CVE-2017-12883

    References:
    https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1
    https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
    https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f#patch1
    https://bugzilla.redhat.com/show_bug.cgi?id=1492093
    http://www.securityfocus.com/bid/100852
    http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/lang-base/perl/patches/CVE-2017-12883.patch
    https://rt.perl.org/Public/Bug/Display.html?id=131598
    http://www.debian.org/security/2017/dsa-3982
    https://security.netapp.com/advisory/ntap-20180426-0001/
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2018-18314
    Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

    Affected range: <5.26.3
    Fixed range:    >=5.26.3

    CVEs: CVE-2018-18314

    References:
    https://www.debian.org/security/2018/dsa-4347
    https://rt.perl.org/Ticket/Display.html?id=131649
    https://metacpan.org/changes/release/SHAY/perl-5.26.3
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
    https://github.com/Perl/perl5/commit/19a498a461d7c81ae3507c450953d1148efecf4f
    https://bugzilla.redhat.com/show_bug.cgi?id=1646751
    http://www.securitytracker.com/id/1042181
    https://usn.ubuntu.com/3834-1/
    http://www.securityfocus.com/bid/106145
    https://access.redhat.com/errata/RHSA-2019:0010
    https://access.redhat.com/errata/RHSA-2019:0001
    https://security.netapp.com/advisory/ntap-20190221-0003/
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2017-12814
    Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.

    Affected range: >=5.24.0,<=5.26.0
    Fixed range:    

    CVEs: CVE-2017-12814

    References:
    https://rt.perl.org/Public/Bug/Display.html?id=131665
    https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1
    https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
    http://www.securityfocus.com/bid/101051
    https://security.netapp.com/advisory/ntap-20180426-0001/
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2017-12837
    Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\\N{}' escape and the case-insensitive modifier.

    Affected range: <5.26.1
    Fixed range:    >=5.28.1

    CVEs: CVE-2017-12837

    References:
    https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1
    https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
    https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5
    https://bugzilla.redhat.com/show_bug.cgi?id=1492091
    http://www.securityfocus.com/bid/100860
    https://rt.perl.org/Public/Bug/Display.html?id=131582
    http://www.debian.org/security/2017/dsa-3982
    https://security.netapp.com/advisory/ntap-20180426-0001/
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2020-10543
    Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

    Affected range: <5.30.3
    Fixed range:    >=5.30.3

    CVEs: CVE-2020-10543

    References:
    https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
    https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed
    https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
    https://security.netapp.com/advisory/ntap-20200611-0001/
    https://security.gentoo.org/glsa/202006-03
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
    http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
    https://www.oracle.com/security-alerts/cpuoct2020.html
    https://www.oracle.com/security-alerts/cpujan2021.html
    https://www.oracle.com/security-alerts/cpuApr2021.html
    https://www.oracle.com//security-alerts/cpujul2021.html
    https://www.oracle.com/security-alerts/cpuoct2021.html
    https://www.oracle.com/security-alerts/cpujan2022.html
    https://www.oracle.com/security-alerts/cpuapr2022.html

  * CPANSA-perl-2023-47038
    A crafted regular expression when compiled by perl 5.30.0 through 5.38.0 can cause a one attacker controlled byte buffer overflow in a heap allocated buffer

    Affected range: >=5.30.0,<5.34.3
                    >=5.36.0,<5.36.3
                    >=5.38.0,<5.38.2
    Fixed range:    5.34.3
                    5.36.3
                    5.38.2

    CVEs: CVE-2023-47038

    References:

  * CPANSA-perl-2018-18312
    Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

    Affected range: <5.28.1
    Fixed range:    >=5.28.1

    CVEs: CVE-2018-18312

    References:
    https://www.debian.org/security/2018/dsa-4347
    https://rt.perl.org/Public/Bug/Display.html?id=133423
    https://metacpan.org/changes/release/SHAY/perl-5.28.1
    https://metacpan.org/changes/release/SHAY/perl-5.26.3
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
    https://bugzilla.redhat.com/show_bug.cgi?id=1646734
    http://www.securitytracker.com/id/1042181
    https://usn.ubuntu.com/3834-1/
    http://www.securityfocus.com/bid/106179
    https://access.redhat.com/errata/RHSA-2019:0010
    https://access.redhat.com/errata/RHSA-2019:0001
    https://security.netapp.com/advisory/ntap-20190221-0003/
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2020-10878
    Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

    Affected range: <5.30.3
    Fixed range:    >=5.30.3

    CVEs: CVE-2020-10878

    References:
    https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
    https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c
    https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8
    https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
    https://security.netapp.com/advisory/ntap-20200611-0001/
    https://security.gentoo.org/glsa/202006-03
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
    http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
    https://www.oracle.com/security-alerts/cpuoct2020.html
    https://www.oracle.com/security-alerts/cpujan2021.html
    https://www.oracle.com/security-alerts/cpuApr2021.html
    https://www.oracle.com//security-alerts/cpujul2021.html
    https://www.oracle.com/security-alerts/cpuoct2021.html
    https://www.oracle.com/security-alerts/cpujan2022.html
    https://www.oracle.com/security-alerts/cpuapr2022.html

With the patch it is equivalent to:

cpan-audit dist perl '==5.024004'

And yields 14 advisories:

perl (requires ==5.024004) has 14 advisories
  * CPANSA-perl-2018-18313
    Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

    Affected range: <5.26.3
    Fixed range:    >=5.26.3

    CVEs: CVE-2018-18313

    References:
    https://www.debian.org/security/2018/dsa-4347
    https://usn.ubuntu.com/3834-2/
    https://rt.perl.org/Ticket/Display.html?id=133192
    https://metacpan.org/changes/release/SHAY/perl-5.26.3
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
    https://github.com/Perl/perl5/commit/43b2f4ef399e2fd7240b4eeb0658686ad95f8e62
    https://bugzilla.redhat.com/show_bug.cgi?id=1646738
    http://www.securitytracker.com/id/1042181
    https://usn.ubuntu.com/3834-1/
    https://access.redhat.com/errata/RHSA-2019:0010
    https://access.redhat.com/errata/RHSA-2019:0001
    https://security.netapp.com/advisory/ntap-20190221-0003/
    https://support.apple.com/kb/HT209600
    https://seclists.org/bugtraq/2019/Mar/42
    http://seclists.org/fulldisclosure/2019/Mar/49
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2023-47039
    Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory.
An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

    Affected range: <=5.38.0
    Fixed range:    

    CVEs: CVE-2023-47039

    References:

  * CPANSA-perl-2017-12837
    Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) via a regular expression with a '\\N{}' escape and the case-insensitive modifier.

    Affected range: <5.26.1
    Fixed range:    >=5.28.1

    CVEs: CVE-2017-12837

    References:
    https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1
    https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
    https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5
    https://bugzilla.redhat.com/show_bug.cgi?id=1492091
    http://www.securityfocus.com/bid/100860
    https://rt.perl.org/Public/Bug/Display.html?id=131582
    http://www.debian.org/security/2017/dsa-3982
    https://security.netapp.com/advisory/ntap-20180426-0001/
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2020-10543
    Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

    Affected range: <5.30.3
    Fixed range:    >=5.30.3

    CVEs: CVE-2020-10543

    References:
    https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
    https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed
    https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
    https://security.netapp.com/advisory/ntap-20200611-0001/
    https://security.gentoo.org/glsa/202006-03
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
    http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
    https://www.oracle.com/security-alerts/cpuoct2020.html
    https://www.oracle.com/security-alerts/cpujan2021.html
    https://www.oracle.com/security-alerts/cpuApr2021.html
    https://www.oracle.com//security-alerts/cpujul2021.html
    https://www.oracle.com/security-alerts/cpuoct2021.html
    https://www.oracle.com/security-alerts/cpujan2022.html
    https://www.oracle.com/security-alerts/cpuapr2022.html

  * CPANSA-perl-2018-6797
    An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.

    Affected range: >=5.18.0,<5.28.0
    Fixed range:    >=5.28.0

    CVEs: CVE-2018-6797

    References:
    https://www.debian.org/security/2018/dsa-4172
    https://rt.perl.org/Public/Bug/Display.html?id=132227
    http://www.securitytracker.com/id/1040681
    https://access.redhat.com/errata/RHSA-2018:1192
    https://usn.ubuntu.com/3625-1/
    http://www.securitytracker.com/id/1042004
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2017-12814
    Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long environment variable.

    Affected range: >=5.24.0,<=5.26.0
    Fixed range:    

    CVEs: CVE-2017-12814

    References:
    https://rt.perl.org/Public/Bug/Display.html?id=131665
    https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1
    https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
    http://www.securityfocus.com/bid/101051
    https://security.netapp.com/advisory/ntap-20180426-0001/
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2017-12883
    Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of service (application crash) via a crafted regular expression with an invalid '\\N{U+...}' escape.

    Affected range: <5.26.1
    Fixed range:    >=5.26.1

    CVEs: CVE-2017-12883

    References:
    https://perl5.git.perl.org/perl.git/log/refs/tags/v5.26.1-RC1
    https://perl5.git.perl.org/perl.git/log/refs/tags/v5.24.3-RC1
    https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f#patch1
    https://bugzilla.redhat.com/show_bug.cgi?id=1492093
    http://www.securityfocus.com/bid/100852
    http://mirror.cucumberlinux.com/cucumber/cucumber-1.0/source/lang-base/perl/patches/CVE-2017-12883.patch
    https://rt.perl.org/Public/Bug/Display.html?id=131598
    http://www.debian.org/security/2017/dsa-3982
    https://security.netapp.com/advisory/ntap-20180426-0001/
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2018-6913
    Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

    Affected range: <5.26.2
    Fixed range:    >=5.26.2

    CVEs: CVE-2018-6913

    References:
    https://www.debian.org/security/2018/dsa-4172
    https://rt.perl.org/Public/Bug/Display.html?id=131844
    https://lists.debian.org/debian-lts-announce/2018/04/msg00009.html
    http://www.securitytracker.com/id/1040681
    https://usn.ubuntu.com/3625-2/
    https://usn.ubuntu.com/3625-1/
    http://www.securityfocus.com/bid/103953
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2020-10878
    Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

    Affected range: <5.30.3
    Fixed range:    >=5.30.3

    CVEs: CVE-2020-10878

    References:
    https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
    https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c
    https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8
    https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
    https://security.netapp.com/advisory/ntap-20200611-0001/
    https://security.gentoo.org/glsa/202006-03
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
    http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
    https://www.oracle.com/security-alerts/cpuoct2020.html
    https://www.oracle.com/security-alerts/cpujan2021.html
    https://www.oracle.com/security-alerts/cpuApr2021.html
    https://www.oracle.com//security-alerts/cpujul2021.html
    https://www.oracle.com/security-alerts/cpuoct2021.html
    https://www.oracle.com/security-alerts/cpujan2022.html
    https://www.oracle.com/security-alerts/cpuapr2022.html

  * CPANSA-perl-2018-18312
    Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

    Affected range: <5.28.1
    Fixed range:    >=5.28.1

    CVEs: CVE-2018-18312

    References:
    https://www.debian.org/security/2018/dsa-4347
    https://rt.perl.org/Public/Bug/Display.html?id=133423
    https://metacpan.org/changes/release/SHAY/perl-5.28.1
    https://metacpan.org/changes/release/SHAY/perl-5.26.3
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
    https://bugzilla.redhat.com/show_bug.cgi?id=1646734
    http://www.securitytracker.com/id/1042181
    https://usn.ubuntu.com/3834-1/
    http://www.securityfocus.com/bid/106179
    https://access.redhat.com/errata/RHSA-2019:0010
    https://access.redhat.com/errata/RHSA-2019:0001
    https://security.netapp.com/advisory/ntap-20190221-0003/
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2018-6798
    An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.

    Affected range: >=5.22.0,<5.28.0
    Fixed range:    >=5.28.0

    CVEs: CVE-2018-6798
Affected range: >=5.30.0,<5.34.3
                       >=5.36.0,<5.36.3
                       >=5.38.0,<5.38.2
Fixed range:    5.34.3
                        5.36.3
                        5.38.2

    References:
    https://www.debian.org/security/2018/dsa-4172
    https://rt.perl.org/Public/Bug/Display.html?id=132063
    http://www.securitytracker.com/id/1040681
    https://access.redhat.com/errata/RHSA-2018:1192
    https://usn.ubuntu.com/3625-1/
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2018-18311
    Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

    Affected range: <5.28.1
    Fixed range:    >=5.28.1

    CVEs: CVE-2018-18311

    References:
    https://www.debian.org/security/2018/dsa-4347
    https://usn.ubuntu.com/3834-2/
    https://rt.perl.org/Ticket/Display.html?id=133204
    https://metacpan.org/changes/release/SHAY/perl-5.28.1
    https://metacpan.org/changes/release/SHAY/perl-5.26.3
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
    https://lists.debian.org/debian-lts-announce/2018/11/msg00039.html
    https://github.com/Perl/perl5/commit/34716e2a6ee2af96078d62b065b7785c001194be
    https://bugzilla.redhat.com/show_bug.cgi?id=1646730
    http://www.securitytracker.com/id/1042181
    https://usn.ubuntu.com/3834-1/
    http://www.securityfocus.com/bid/106145
    https://access.redhat.com/errata/RHSA-2019:0010
    https://access.redhat.com/errata/RHSA-2019:0001
    https://access.redhat.com/errata/RHSA-2019:0109
    https://security.netapp.com/advisory/ntap-20190221-0003/
    https://support.apple.com/kb/HT209600
    https://seclists.org/bugtraq/2019/Mar/42
    http://seclists.org/fulldisclosure/2019/Mar/49
    https://kc.mcafee.com/corporate/index?page=content&id=SB10278
    https://access.redhat.com/errata/RHBA-2019:0327
    https://access.redhat.com/errata/RHSA-2019:1790
    https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
    https://access.redhat.com/errata/RHSA-2019:1942
    https://access.redhat.com/errata/RHSA-2019:2400
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpuapr2020.html
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2018-18314
    Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

    Affected range: <5.26.3
    Fixed range:    >=5.26.3

    CVEs: CVE-2018-18314

    References:
    https://www.debian.org/security/2018/dsa-4347
    https://rt.perl.org/Ticket/Display.html?id=131649
    https://metacpan.org/changes/release/SHAY/perl-5.26.3
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
    https://github.com/Perl/perl5/commit/19a498a461d7c81ae3507c450953d1148efecf4f
    https://bugzilla.redhat.com/show_bug.cgi?id=1646751
    http://www.securitytracker.com/id/1042181
    https://usn.ubuntu.com/3834-1/
    http://www.securityfocus.com/bid/106145
    https://access.redhat.com/errata/RHSA-2019:0010
    https://access.redhat.com/errata/RHSA-2019:0001
    https://security.netapp.com/advisory/ntap-20190221-0003/
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2020-12723
    regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

    Affected range: <5.30.3
    Fixed range:    >=5.30.3

    CVEs: CVE-2020-12723

    References:
    https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
    https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
    https://github.com/Perl/perl5/issues/16947
    https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a
    https://github.com/Perl/perl5/issues/17743
    https://security.netapp.com/advisory/ntap-20200611-0001/
    https://security.gentoo.org/glsa/202006-03
    https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
    http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
    https://www.oracle.com/security-alerts/cpuoct2020.html
    https://www.oracle.com/security-alerts/cpujan2021.html
    https://www.oracle.com/security-alerts/cpuApr2021.html
    https://www.oracle.com//security-alerts/cpujul2021.html
    https://www.oracle.com/security-alerts/cpuoct2021.html
    https://www.oracle.com/security-alerts/cpujan2022.html
    https://www.oracle.com/security-alerts/cpuapr2022.html

Note this time the following advisories are missing:

CPANSA-perl-2023-47100 
Affected range: >=5.30.0,<5.36.3
                      >=5.38.0,<5.38.2
Fixed range:   >=5.38.2

and

CPANSA-perl-2023-47038
Affected range: >=5.30.0,<5.34.3
                       >=5.36.0,<5.36.3
                       >=5.38.0,<5.38.2
Fixed range:    5.34.3
                        5.36.3
                        5.38.2

I argue that the patched version is more useful and also more in line with what one would expect from a command named installed: "Audit the installed distributions for known vulnerabilities. I do not care if later (not presently installed) versions of that distributions will introduce vulnerabilities. Leave this to the deps command."

(As an aside: It turned out that it is not reflected by the advisory database that some CVEs have been addressed already in maintenance versions of perl v5.24.x.)

@briandfoy
Copy link
Owner

Are you using the latest CPAN::Audit? Can you show the output of cpan-audit --version?

When I run cpan-audit5.24.4 dist perl 5.024004 on perl 5.24.4, I get 14 advisories and I don't get the CPANSA-perl-2023-47100 or CPANSA-perl-2023-47038 reports. Note that the exit code is the number of reports plus 64 (so, 14 in this case):

$ cpan-audit5.24.4 --version
CPAN::Audit 20240908.001
$ cpan-audit5.24.4 dist perl 5.024004 > /dev/null
$ echo $?
78

This is not the same thing as cpan-audit installed, which only returns two reports (File::Temp and CPAN::Checksums). You'll have to explain that connection a bit more.

There's a chance that with older data there was some error in the report that forms the basis of the database, and that this error was fixed.

Can you also show me the output of cpan-audit5.24.4 show CPANSA-perl-2023-47100?

briandfoy added a commit that referenced this pull request Sep 10, 2024
@briandfoy
Add a test to check tests for #62 (too many reports for perl)
0562b13
@sparrow2009
Copy link
Author

Took me a while to reach this guess: Are you using the still to be released CPANSA::DB locally?

When using CPAN::Audit::DB instead during the evaluation of $Module::CoreList::version{$]} some core modules are mapped to dist perl by module2dist and therefor perl is added to $dists even in the absence of option include_perl.

Only by chance it seems the correct version for dist perl is figured out as B::Op_private is at version 5.024004 and ranks highest of all core modules that are mapped to dist perl.

(Hope I am not too wrong here as this analysis happened in a hurry.)

As per your request:

$something/bin/cpan-audit version 1.502 using:
        CPAN::Audit 20240908.001
        CPANSA::DB

cpan-audit show CPANSA-perl-2023-47100
  * CPANSA-perl-2023-47100
    In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

    Affected range: >=5.30.0,<5.36.3
                    >=5.38.0,<5.38.2
    Fixed range:    >=5.38.2

    CVEs: CVE-2023-47100

    References:
    https://github.com/Perl/perl5/commit/ff1f9f59360afeebd6f75ca1502f5c3ebf077da3
    https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
    https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6

briandfoy added a commit that referenced this pull request Sep 10, 2024
@briandfoy
add dist test for #62
5c7d4bf
@briandfoy
Copy link
Owner

I added the t/cli/dist.t test for this check. It passes GitHub Actions and I've released 20240911.001_01 so CPAN Testers can check it. So far the tests have not seen the same reports that you note in this issue.

briandfoy added a commit to briandfoy/cpan-security-advisory that referenced this pull request Sep 10, 2024
@briandfoy
CVE-2017-12837 was fixed in 5.24.3 (noted by sparrow2009 in briandfoy…
a6e7f7e 
…/cpan-audit#62)
briandfoy added a commit to briandfoy/cpan-security-advisory that referenced this pull request Sep 10, 2024
@briandfoy
CVE-2017-12883 was fixed in 5.24.3 (noted by sparrow2009 in briandfoy…
bfb1edc 
…/cpan-audit#62)
briandfoy added a commit to briandfoy/cpan-security-advisory that referenced this pull request Sep 10, 2024
@briandfoy
CVE-2017-12814 was fixed in 5.24.3 (noted by sparrow2009 in briandfoy…
9e4c4a9 
…/cpan-audit#62)
briandfoy added a commit to briandfoy/cpan-security-advisory that referenced this pull request Sep 10, 2024
@briandfoy
various issues fixed by 5.24.4 and 5.26.2 (suggested by sparrow2009 in
755e38f 
…briandfoy/cpan-audit#62)
@briandfoy
Copy link
Owner

Heh, you were right. I had a CPANSA::DB lying around in one version of perl that I was using to test this. And, there was a bug in --version that kept that from showing up.

I think we are seeing the same output here, although I also fixed up several of the perl reports too.

There are a couple ways to go with the dist command:

  • leave this alone because this is the existing behavior. You'd have to use the == explicitly to get what you want. However, this needs to be documented.
  • change the existing behavior such that a version range on the command line is implicitly == instead of '>=' if no range characters are specified. This still needs to be documented.
  • change CPAN::Audit::Version::in_range to make == the default. This might do more than we really want, but I think it might be the better fix. This means we don't have to do weird things in any other step because it happens for us already. I'm leaning toward this one.

@briandfoy briandfoy added Status: needs docs the change needs to be documented Status: awaiting cpan testers waiting for results from CPAN Testers and removed Status: needs details the problem description needs more information labels Sep 10, 2024
@sparrow2009
Copy link
Author

Regarding the dist command: I recommend not to change CPAN::Audit::Version::in_range's interpretation of version ranges with no range characters specified. Its present interpretation maps nicely to the cpanfile spec and one would have to adjust the implementation of the deps command to cater for this reinterpretation then. I do not think it would be a win.

I would rather want to see the first option plus emitting an informational message when a plain $version is specified saying that this has been interpreted as >=$version and to use "==$version" if this has not been intended.

@sparrow2009
Copy link
Author

I think we are seeing the same output here, although I also fixed up several of the perl reports too.

As I am not a native English speaker this is unclear to me: Are you saying after fixing the CPANSA::DB issue you see CPANSA-perl-2023-47038 and CPANSA-perl-2023-47100 listed in the result of a dist perl 5.024004? Or that nothing has changed compared to before this fix and the report does not list those advisories?

@briandfoy briandfoy mentioned this pull request Sep 12, 2024
Closed
@sparrow2009
Copy link
Author

sparrow2009 commented Sep 12, 2024
edited
Loading

One could also make a plain version as argument to the dist and module commands fatal and advise the user to specify either ==$version or >=$version instead.

@guest20
Copy link
Contributor

guest20 commented Sep 13, 2024

To me, it seems like saying "version 6.1 please" should just mean version 6.1.

Version specs are "greater than or equal to" in dependency lists because defaulting to exact versions would make getting new versions of modules a whole lot more work

@briandfoy
Copy link
Owner

I haven't forgotten about this issue. I think in general this is the right solution but I want to look at it carefully to make sure it works. Since I didn't write most of this code, I don't quite understand how all of it plays together. I also need to try it in a clean environment.

@briandfoy
Copy link
Owner

A fix for this is in the latest trial release. I plan on releasing a new version next week. If you find anything weird in the trial, let me know:

@briandfoy briandfoy closed this Dec 8, 2024
@briandfoy
Copy link
Owner

This is now released as 20241208.001. If you find anything odd, open a new issue please.

This was referenced Jan 27, 2025
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briandfoy briandfoy briandfoy left review comments

@guest20 guest20 guest20 left review comments

Assignees

@briandfoy briandfoy

Labels
Priority: low get to this whenever Status: awaiting cpan testers waiting for results from CPAN Testers Status: changes requested adjust the pull request as noted in comments Status: needs docs the change needs to be documented
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sparrow2009 @briandfoy @guest20