{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "description", "text": "The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.", "title": "Vulnerability Description" } ], "publisher": { "category": "other", "contact_details": "gdt@cpan.org", "name": "giterlizzi", "namespace": "https://github.com/giterlizzi/" }, "references": [ { "category": "self", "summary": "CPANSA-perl-2011-1487 JSON", "url": "https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2011/cpansa-perl-2011-1487.json" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=692844", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=692844" }, { "category": "external", "summary": "http://openwall.com/lists/oss-security/2011/04/01/3", "url": "http://openwall.com/lists/oss-security/2011/04/01/3" }, { "category": "external", "summary": "http://openwall.com/lists/oss-security/2011/04/04/35", "url": "http://openwall.com/lists/oss-security/2011/04/04/35" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=692898", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=692898" }, { "category": "external", "summary": "http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336", "url": "http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336" }, { "category": "external", "summary": "http://secunia.com/advisories/43921", "url": "http://secunia.com/advisories/43921" }, { "category": "external", "summary": "http://www.securityfocus.com/bid/47124", "url": "http://www.securityfocus.com/bid/47124" }, { "category": "external", "summary": "http://perl5.git.perl.org/perl.git/commit/539689e74a3bcb04d29e4cd9396de91a81045b99", "url": "http://perl5.git.perl.org/perl.git/commit/539689e74a3bcb04d29e4cd9396de91a81045b99" }, { "category": "external", "summary": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057971.html", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057971.html" }, { "category": "external", "summary": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057891.html", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057891.html" }, { "category": "external", "summary": "http://secunia.com/advisories/44168", "url": "http://secunia.com/advisories/44168" }, { "category": "external", "summary": "http://www.debian.org/security/2011/dsa-2265", "url": "http://www.debian.org/security/2011/dsa-2265" }, { "category": "external", "summary": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:091", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:091" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html" }, { "category": "external", "summary": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66528", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66528" }, { "category": "external", "summary": "CVE-2011-1487 (NVD)", "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1487" } ], "title": "perl vulnerability", "tracking": { "current_release_date": "2011-04-11T00:00:00", "generator": { "engine": { "name": "CSAF Perl Toolkit", "version": "0.26" } }, "id": "CPANSA-perl-2011-1487", "initial_release_date": "2011-04-11T00:00:00", "revision_history": [ { "date": "2011-04-11T00:00:00", "number": "1", "summary": "First release" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:cpan/<5.14.0", "product": { "name": "perl less than 5.14.0", "product_id": "CSAFPID-0001" } }, { "category": "product_version_range", "name": "vers:cpan/>=5.14.0", "product": { "name": "perl greater than or equal 5.14.0", "product_id": "CSAFPID-0002" } } ], "category": "product_name", "name": "perl" } ] }, "vulnerabilities": [ { "cve": "CVE-2011-1487", "cwe": { "id": "CWE-264", "name": "Permissions, Privileges, and Access Controls" }, "notes": [ { "category": "description", "text": "The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.", "title": "Vulnerability Description" } ], "product_status": { "fixed": [ "CSAFPID-0002" ], "known_affected": [ "CSAFPID-0001" ] }, "scores": [ { "cvss_v2": { "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0" }, "products": [ "CSAFPID-0001" ] } ] } ] }