FS#67919 : [perl] 5.32.0-2: /etc/profile.d/perlbin.sh adds relative path to $PATH

FS#67919 - [perl] 5.32.0-2: /etc/profile.d/perlbin.sh adds relative path to $PATH

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Thursday, 17 September 2020, 12:57 GMT
Last edited by freswa (frederik) - Friday, 18 September 2020, 12:21 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Jelle van der Waa (jelly)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

In perl 5.32.0-2 (which is only in testing as of now), the script /etc/profile.d/perlbin.sh adds the relative path "usr/bin/site_perl" instead of the absolute path "/usr/bin/site_perl" to the $PATH environment variable. Adding a relative path to $PATH is a potential security issue:

https://cwe.mitre.org/data/definitions/426.html
https://cwe.mitre.org/data/definitions/427.html

This task depends upon

Closed by freswa (frederik)
Friday, 18 September 2020, 12:21 GMT
Reason for closing: Fixed
Additional comments about closing: perl 5.32.0-3

Comment by Pascal Ernster (hardfalcon) - Thursday, 17 September 2020, 13:00 GMT

Forgot to mention: The issue was introduced through a typo or copy-paste error in the following commit: https://github.com/archlinux/svntogit-packages/commit/14b4244f492b77f59e2f03f6774d12615da5ec73#diff-9cdefe3a8c000c37a1d39bdd1bb1ea3eR5

The perl package in core (version 5.32.0-1) is not affected.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#67919 - [perl] 5.32.0-2: /etc/profile.d/perlbin.sh adds relative path to $PATH

Details

Loading...