In mid-December a number of security issues were identified in core modules of the Perl language. The first–found by David Golden of MongoDB and patched with code from Tony Cook–involved the File::Spec::canonpath() returning “untainted” strings even when passed “tainted” inputs.
In Perl, tainted strings are ones that may have been modified by a user (such as someone entering data on a webform), and taint-checking is done to help enforce security restrictions. Tainted inputs need to be sanitized before they are used for anything like file or database access, or Very Bad Things can happen.
The second issue affected only Win32 builds, but had been in the code since 1999. It may be true that all bugs are shallow if enough eyes are on the code, but sometimes shallow waters can be exceedingly murky. While only affecting a single platform, this bug–found by John Leitch and Bryce Darling of AutoSec Tools and patched with code by John Leitch and Tony Cook–involved several out-of-bounds-read and small buffer over-read vulnerabilities in the VDir::MapPathA and VDir::MapPathW functions that could potentially be exploited to achieve arbitrary code execution.
Vendors such as ActiveState get early warnings on security bugs so we can apply the patches and rebuild our products before the public announcement of the vulnerabilities. A number of people at ActiveState were working hard since before Christmas to ensure that our customers would have immediate access to our patched builds, and that our latest free community edition builds of ActivePerl 5.20 and ActivePerl 5.22 would also be patched and ready to go. These builds also include the latest version of OpenSSL (1.0.2e), which fixes a moderate vulnerability recently found in the previous version (1.0.2d).
Open Source and Security
All software contains bugs, and some bugs will result in security issues. The two big advantages of open source code are that we really do have a lot of eyes looking for problems, and we can respond very quickly with patches and fixes. Both of these depend on a large and active community, which Perl thankfully has.
Security in open source is an evolving field. After Heartbleed it became apparent that the open source community at large had become somewhat complacent, and the assumption that there were enough highly qualified eyeballs on the code was optimistic. It may have even led to fewer close reviews of critical projects because everyone assumed everyone else was doing the job.
But we learn.
The open source community is similar to the scientific community in many ways. Science as we know it started on March 6th 1665, with the publication of the first issue of the “Philosophical Transactions” of the Royal Society. People had been investigating nature for a long time. What made the difference was publishing and sharing their findings with the whole world.
Like science, the open source community has been learning as we go, figuring out everything from what features we want in a source control system to how to detect and respond to security bugs. The power of open source is that its public, communal nature gives individual contributors enormous power to influence the software we depend on, and that makes us all more secure in the long run.
ActivePerl Editions Updated
We have updated the Community Edition for ActivePerl 5.20 and 5.22, as well ActivePerl Business Edition 5.18 and later. All ActivePerl Enterprise Edition customers will be able to access builds with the security patches included. You can download ActivePerl 5.22.1 to obtain the version with the latest security patches.