CVE-2016-1238 [High] | Security Vulnerability in Debian Linux

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-12-28	0.38%	0.27%	-0.11%
2	2025-12-27	0.27%	0.38%	+0.11%
3	2025-10-28	—	0.27%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-12-28

0.38%

0.27%

-0.11%

2025-12-27

0.27%

0.38%

+0.11%

2025-10-28

—

0.27%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.8	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	5.9	[email protected]
7.2	2.0	HIGH	`AV:L/AC:L/Au:N/C:C/I:C/A:C` Click to expand Access vector (AV:L) Requires local access to the target system. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:C) Complete confidentiality impact. Integrity impact (I:C) Complete integrity impact. Availability impact (A:C) Complete availability impact.	3.9	10.0	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.8

3.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

5.9

[email protected]

7.2

2.0

HIGH

AV:L/AC:L/Au:N/C:C/I:C/A:C Click to expand

Access vector (AV:L): Requires local access to the target system.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:C): Complete confidentiality impact.
Integrity impact (I:C): Complete integrity impact.
Availability impact (A:C): Complete availability impact.

3.9

10.0

[email protected]

OS Trackers for CVE-2016-1238

vendor	priority	summary	link
`alpine`	—	CVE-2016-1238: 1 source package rows (spamassassin); 10 state rows across 10 repos (3.10-main, 3.11-main, 3.12-main, 3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 10, open 0.	https://security.alpinelinux.org/vuln/CVE-2016-1238
`debian`	not yet assigned	CVE-2016-1238 not yet assigned priority: Debian including 1 source packages (perl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2016-1238
`gentoo`	normal	CVE-2016-1238: 2 GLSA(s) (201701-75, 201812-07), 2 atom(s) (dev-lang/perl, mail-filter/spamassassin); latest impact normal.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2016-1238
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2016-1238
`suse`	medium	CVE-2016-1238 severity moderate: SUSE including 98 source package names (0.9.1:perl-base-5.18.2-11.1, 1.0.0:perl-base-5.18.2-11.1, …), 361 product×package rows across 112 product lines (Container caasp/v4/default-http-backend, Container caasp/v4/dnsmasq-nanny, … (112 product lines)): Fixed 253, Known Not Affected 108.	https://www.suse.com/security/cve/CVE-2016-1238/
`ubuntu`	medium	CVE-2016-1238 medium priority: Ubuntu including 2 source packages (libsys-syslog-perl, perl), 20 status rows across 10 suites (artful, bionic, cosmic, precise, trusty, upstream, wily, xenial, yakkety, zesty): DNE 6, ignored 5, not-affected 5, released 3, needs-triage 1.	https://ubuntu.com/security/CVE-2016-1238

Affected software / configurations for CVE-2016-1238

Vendor	Product	Version	Raw CPE
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*
fedoraproject	fedora	23	cpe:2.3:o:fedoraproject:fedora:23:::::::*
fedoraproject	fedora	24	cpe:2.3:o:fedoraproject:fedora:24:::::::*
perl	perl	1.0.15	cpe:2.3:a:perl:perl:1.0.15:::::::*
perl	perl	1.0.16	cpe:2.3:a:perl:perl:1.0.16:::::::*
perl	perl	5.000	cpe:2.3:a:perl:perl:5.000:::::::*
perl	perl	5.000o	cpe:2.3:a:perl:perl:5.000o:::::::*
perl	perl	5.001	cpe:2.3:a:perl:perl:5.001:::::::*
perl	perl	5.001n	cpe:2.3:a:perl:perl:5.001n:::::::*
perl	perl	5.002	cpe:2.3:a:perl:perl:5.002:::::::*
perl	perl	5.002_01	cpe:2.3:a:perl:perl:5.002_01:::::::*
perl	perl	5.003	cpe:2.3:a:perl:perl:5.003:::::::*
perl	perl	5.003_01	cpe:2.3:a:perl:perl:5.003_01:::::::*
perl	perl	5.003_02	cpe:2.3:a:perl:perl:5.003_02:::::::*
perl	perl	5.003_03	cpe:2.3:a:perl:perl:5.003_03:::::::*
perl	perl	5.003_04	cpe:2.3:a:perl:perl:5.003_04:::::::*
perl	perl	5.003_05	cpe:2.3:a:perl:perl:5.003_05:::::::*
perl	perl	5.003_07	cpe:2.3:a:perl:perl:5.003_07:::::::*
perl	perl	5.003_08	cpe:2.3:a:perl:perl:5.003_08:::::::*
perl	perl	5.003_09	cpe:2.3:a:perl:perl:5.003_09:::::::*
perl	perl	5.003_10	cpe:2.3:a:perl:perl:5.003_10:::::::*
perl	perl	5.003_11	cpe:2.3:a:perl:perl:5.003_11:::::::*
perl	perl	5.003_12	cpe:2.3:a:perl:perl:5.003_12:::::::*
perl	perl	5.003_13	cpe:2.3:a:perl:perl:5.003_13:::::::*
perl	perl	5.003_14	cpe:2.3:a:perl:perl:5.003_14:::::::*
perl	perl	5.003_15	cpe:2.3:a:perl:perl:5.003_15:::::::*
perl	perl	5.003_16	cpe:2.3:a:perl:perl:5.003_16:::::::*
perl	perl	5.003_17	cpe:2.3:a:perl:perl:5.003_17:::::::*
perl	perl	5.003_18	cpe:2.3:a:perl:perl:5.003_18:::::::*
perl	perl	5.003_19	cpe:2.3:a:perl:perl:5.003_19:::::::*
perl	perl	5.003_20	cpe:2.3:a:perl:perl:5.003_20:::::::*
perl	perl	5.003_21	cpe:2.3:a:perl:perl:5.003_21:::::::*
perl	perl	5.003_22	cpe:2.3:a:perl:perl:5.003_22:::::::*
perl	perl	5.003_23	cpe:2.3:a:perl:perl:5.003_23:::::::*
perl	perl	5.003_24	cpe:2.3:a:perl:perl:5.003_24:::::::*
perl	perl	5.003_25	cpe:2.3:a:perl:perl:5.003_25:::::::*
perl	perl	5.003_26	cpe:2.3:a:perl:perl:5.003_26:::::::*
perl	perl	5.003_27	cpe:2.3:a:perl:perl:5.003_27:::::::*
perl	perl	5.003_28	cpe:2.3:a:perl:perl:5.003_28:::::::*
perl	perl	5.003_90	cpe:2.3:a:perl:perl:5.003_90:::::::*
perl	perl	5.003_91	cpe:2.3:a:perl:perl:5.003_91:::::::*
perl	perl	5.003_92	cpe:2.3:a:perl:perl:5.003_92:::::::*
perl	perl	5.003_93	cpe:2.3:a:perl:perl:5.003_93:::::::*
perl	perl	5.003_94	cpe:2.3:a:perl:perl:5.003_94:::::::*
perl	perl	5.003_95	cpe:2.3:a:perl:perl:5.003_95:::::::*
perl	perl	5.003_96	cpe:2.3:a:perl:perl:5.003_96:::::::*
perl	perl	5.003_97	cpe:2.3:a:perl:perl:5.003_97:::::::*
perl	perl	5.003_97a	cpe:2.3:a:perl:perl:5.003_97a:::::::*
perl	perl	5.003_97b	cpe:2.3:a:perl:perl:5.003_97b:::::::*
perl	perl	5.003_97c	cpe:2.3:a:perl:perl:5.003_97c:::::::*
perl	perl	5.003_97d	cpe:2.3:a:perl:perl:5.003_97d:::::::*
perl	perl	5.003_97e	cpe:2.3:a:perl:perl:5.003_97e:::::::*
perl	perl	5.003_97f	cpe:2.3:a:perl:perl:5.003_97f:::::::*
perl	perl	5.003_97g	cpe:2.3:a:perl:perl:5.003_97g:::::::*
perl	perl	5.003_97h	cpe:2.3:a:perl:perl:5.003_97h:::::::*
perl	perl	5.003_97i	cpe:2.3:a:perl:perl:5.003_97i:::::::*
perl	perl	5.003_97j	cpe:2.3:a:perl:perl:5.003_97j:::::::*
perl	perl	5.003_98	cpe:2.3:a:perl:perl:5.003_98:::::::*
perl	perl	5.003_99	cpe:2.3:a:perl:perl:5.003_99:::::::*
perl	perl	5.003_99a	cpe:2.3:a:perl:perl:5.003_99a:::::::*
perl	perl	5.004	cpe:2.3:a:perl:perl:5.004:::::::*
perl	perl	5.004_01	cpe:2.3:a:perl:perl:5.004_01:::::::*
perl	perl	5.004_02	cpe:2.3:a:perl:perl:5.004_02:::::::*
perl	perl	5.004_03	cpe:2.3:a:perl:perl:5.004_03:::::::*
perl	perl	5.004_04	cpe:2.3:a:perl:perl:5.004_04:::::::*
perl	perl	5.004_05	cpe:2.3:a:perl:perl:5.004_05:::::::*
perl	perl	5.005	cpe:2.3:a:perl:perl:5.005:::::::*
perl	perl	5.005_01	cpe:2.3:a:perl:perl:5.005_01:::::::*
perl	perl	5.005_02	cpe:2.3:a:perl:perl:5.005_02:::::::*
perl	perl	5.005_03	cpe:2.3:a:perl:perl:5.005_03:::::::*
perl	perl	5.005_04	cpe:2.3:a:perl:perl:5.005_04:::::::*
perl	perl	5.6	cpe:2.3:a:perl:perl:5.6:::::::*
perl	perl	5.6.0	cpe:2.3:a:perl:perl:5.6.0:::::::*
perl	perl	5.6.1	cpe:2.3:a:perl:perl:5.6.1:::::::*
perl	perl	5.6.2	cpe:2.3:a:perl:perl:5.6.2:::::::*
perl	perl	5.7.3	cpe:2.3:a:perl:perl:5.7.3:::::::*
perl	perl	5.8	cpe:2.3:a:perl:perl:5.8:::::::*
perl	perl	5.8.0	cpe:2.3:a:perl:perl:5.8.0:::::::*
perl	perl	5.8.1	cpe:2.3:a:perl:perl:5.8.1:::::::*
perl	perl	5.8.2	cpe:2.3:a:perl:perl:5.8.2:::::::*

References for CVE-2016-1238

URL	Tags
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00002.html	Third Party Advisory
http://perl5.git.perl.org/perl.git/commit/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab	Issue Tracking
http://www.debian.org/security/2016/dsa-3628	Third Party Advisory
http://www.nntp.perl.org/group/perl.perl5.porters/2016/07/msg238271.html	Third Party Advisory
http://www.securityfocus.com/bid/92136	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1036440	Third Party Advisory VDB Entry
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731	Third Party Advisory
https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c%40%3Cannounce.apache.org%3E
https://lists.debian.org/debian-lts-announce/2018/11/msg00016.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2FBQOCV3GBAN2EYZUM3CFDJ4ECA3GZOK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DOFRQWJRP2NQJEYEWOMECVW3HAMD5SYN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZBNQH3DMI7HDELJAZ4TFJJANHXOEDWH/
https://rt.perl.org/Public/Bug/Display.html?id=127834	Permissions Required
https://security.gentoo.org/glsa/201701-75	Third Party Advisory
https://security.gentoo.org/glsa/201812-07	Third Party Advisory

URL

CVE-2016-1238

Exploit prediction scoring system (EPSS) score for CVE-2016-1238

Common vulnerability scoring system (CVSS) metrics for CVE-2016-1238

Weakness enumeration for CVE-2016-1238

OS Trackers for CVE-2016-1238

Affected software / configurations for CVE-2016-1238

References for CVE-2016-1238