Advisories ยป MGASA-2016-0299

Updated perl-XSLoader packages fix security vulnerability

Publication date: 16 Sep 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-6185

Description

An arbitrary code execution can be achieved if loading code from untrusted
current working directory despite the '.' is removed from @INC.
Vulnerability is in XSLoader that uses caller() information to locate .so
file to load. If malicious attacker creates directory named `(eval 1)`
with malicious binary file in it, it will be loaded if the package calling
XSLoader is in parent  directory (CVE-2016-6185).
                

References

SRPMS

5/core