CVE-2016-6185
First published: Tue Aug 02 2016(Updated: )
The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under the current working directory.
Credit: security@debian.org security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Perl Perl | >=5.23.0<5.24.1 | |
| Perl Perl | >=5.25.0<5.25.3 | |
| Fedoraproject Fedora | =22 | |
| Fedoraproject Fedora | =23 | |
| Fedoraproject Fedora | =24 | |
| Debian Debian Linux | =8.0 | |
| Oracle Solaris | =10 | |
| Oracle Solaris | =11.3 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =17.10 | |
| ubuntu/perl | <5.18.2-2ubuntu1.4 | 5.18.2-2ubuntu1.4 |
| ubuntu/perl | <5.22.2-2 | 5.22.2-2 |
| ubuntu/perl | <5.22.1-9ubuntu0.3 | 5.22.1-9ubuntu0.3 |
| debian/perl | 5.32.1-4+deb11u3 5.32.1-4+deb11u1 5.36.0-7+deb12u1 5.38.2-5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7
- http://www.debian.org/security/2016/dsa-3628
- http://www.openwall.com/lists/oss-security/2016/07/07/1
- http://www.openwall.com/lists/oss-security/2016/07/08/5
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.securityfocus.com/bid/91685
- http://www.securitytracker.com/id/1036260
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RFDMASVZLFZYBB2GNTZXU6I76E4NA4V/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITYZJXQH24X2F2LAOQEQAC5KXLYJTJ76/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PRIPTDA6XINBVEJXI2NGLKVEINBREHTN/
- https://rt.cpan.org/Public/Bug/Display.html?id=115808
- https://security.gentoo.org/glsa/201701-75
- https://usn.ubuntu.com/3625-1/
- https://usn.ubuntu.com/3625-2/
- https://launchpad.net/bugs/cve/CVE-2016-6185
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5RFDMASVZLFZYBB2GNTZXU6I76E4NA4V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITYZJXQH24X2F2LAOQEQAC5KXLYJTJ76/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRIPTDA6XINBVEJXI2NGLKVEINBREHTN/
- https://security-tracker.debian.org/tracker/CVE-2016-6185
- https://ubuntu.com/security/notices/USN-3625-1
- https://ubuntu.com/security/notices/USN-3625-2
- https://www.cve.org/CVERecord?id=CVE-2016-6185
- https://nvd.nist.gov/vuln/detail/CVE-2016-6185
- http://perl5.git.perl.org/perl.git/commit/08e3451d7b3b714ad63a27f1b9c2a23ee75d15ee
- https://ubuntu.com/security/CVE-2016-6185
Frequently Asked Questions
What is CVE-2016-6185?
CVE-2016-6185 is a vulnerability in the XSLoader::load method in Perl that allows local users to execute arbitrary code via a Trojan horse library.
How severe is CVE-2016-6185?
CVE-2016-6185 has a severity rating of 7.8 out of 10.
Which software is affected by CVE-2016-6185?
The affected software includes Perl 5.28.1-6+deb10u1, Perl 5.32.1-4+deb11u2, Perl 5.32.1-4+deb11u1, Perl 5.36.0-7, Perl 5.36.0-9, Perl Perl (version 5.24.1 to 5.25.3), Fedoraproject Fedora 22, Fedoraproject Fedora 23, Fedoraproject Fedora 24, Debian Debian Linux 8.0, Oracle Solaris 10, Oracle Solaris 11.3, Canonical Ubuntu Linux 12.04, Canonical Ubuntu Linux 14.04, Canonical Ubuntu Linux 16.04, and Canonical Ubuntu Linux 17.10.
How do I fix CVE-2016-6185 in Perl?
To fix CVE-2016-6185 in Perl, update to Perl version 5.28.1-6+deb10u1, 5.32.1-4+deb11u2, 5.32.1-4+deb11u1, 5.36.0-7, or 5.36.0-9.
Are there any references for CVE-2016-6185?
Yes, you can find references for CVE-2016-6185 at the following links: [CVE-2016-6185](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6185), [USN-3625-1](https://ubuntu.com/security/notices/USN-3625-1), [USN-3625-2](https://ubuntu.com/security/notices/USN-3625-2).
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/severity
- agent/description
- agent/event
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/perl
- canonical/perl perl
- version/perl perl/5.23.0
- version/perl perl/5.25.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/22
- version/fedoraproject fedora/23
- version/fedoraproject fedora/24
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/oracle
- canonical/oracle solaris
- version/oracle solaris/10
- version/oracle solaris/11.3
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/17.10
- package-manager/ubuntu
- package-manager/debian