Updated perl-XSLoader packages fix security vulnerability
Publication date: 16 Sep 2016Type: security
Affected Mageia releases : 5
CVE: CVE-2016-6185
Description
An arbitrary code execution can be achieved if loading code from untrusted current working directory despite the '.' is removed from @INC. Vulnerability is in XSLoader that uses caller() information to locate .so file to load. If malicious attacker creates directory named `(eval 1)` with malicious binary file in it, it will be loaded if the package calling XSLoader is in parent directory (CVE-2016-6185).
References
SRPMS
5/core
- perl-XSLoader-0.160.0-7.1.mga5