CVE-2016-1238 (local privilege escalation) is easily exploitable but it is not addressed in Trisquel 8.0

Category:bug report
Status:patch (needs work)

Steps to reproduce:

1. Execute the following command:

mkdir /tmp/Encode; echo "system(q(id)); 1;" > /tmp/Encode/

2. Change the current working directory to /tmp:

cd /tmp

3. Run dpkg-reconfigure, adduser, deluser or tasksel as root:

sudo tasksel

Expected result:
/tmp/Encode/ should not be executed.

Observed result:
You will see a line containing output of the "id" command: "uid=0(root) gid=0(root) groups=0(root)".

Trisquel 8.0 and earlier versions are affected, the upcoming Trisquel 9 is not affected.

Canonical has decided to ignore this vulnerability in Ubuntu 16.04, cf.:, This vulnerability has been mitigated in Debian "jessie", I propose that their patches for Perl 5.20 should be ported to Perl 5.22 (this version is in Trisquel 8.0).

External links: