Apply remains of CVE-2016-1238 fix from perl
This require different logic for locating file from -j argument.
This commit is contained in:
Petr Písař
parent
df7a613c62
commit
5ec96d5ccb
|
|
@ -0,0 +1,40 @@
|
|||
From 2630498e13ce17ef601f532e4ecec5c0489c72b5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Tue, 18 Oct 2016 17:59:58 +0200
|
||||
Subject: [PATCH] Do not search cpan -j file in @INC
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
After removing "." from @INC (CVE-2016-1238), loading explictly
|
||||
specified configuration file with cpan -j using relative path failed.
|
||||
This is because relative paths are subject to @INC search within the
|
||||
"require" function.
|
||||
|
||||
Because cpan already checks the file exists before loading it, it's
|
||||
clear the intention is to load only that file (relative to current
|
||||
working directory).
|
||||
|
||||
Therefore this patch turnes the configuration file name into into
|
||||
absolute path before loading it by "require" function.
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
lib/App/Cpan.pm | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
|
||||
index c654c2c..0f42913 100644
|
||||
--- a/lib/App/Cpan.pm
|
||||
+++ b/lib/App/Cpan.pm
|
||||
@@ -1100,6 +1100,7 @@ sub _load_config # -j
|
||||
delete $INC{'CPAN/Config.pm'};
|
||||
croak( "Config file [$file] does not exist!\n" ) unless -e $file;
|
||||
|
||||
+ $file = File::Spec->rel2abs($file);
|
||||
my $rc = eval "require '$file'";
|
||||
|
||||
# CPAN::HandleConfig::require_myconfig_or_config looks for this
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
|
@ -0,0 +1,63 @@
|
|||
From 705b9f68906d584e2d0bf9c2fd634778f1ba9b35 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Tue, 18 Oct 2016 14:35:09 +0200
|
||||
Subject: [PATCH] Fix CVE-2016-1238 completely
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
These are remains ported from perl-v5.24.1-RC4 commit:
|
||||
|
||||
commit 5f66e9fffdc3d0c6e0846cd1f11298e70c786c30
|
||||
Author: Tony Cook <tony@develop-help.com>
|
||||
Date: Tue Jun 21 10:02:02 2016 +1000
|
||||
|
||||
(perl #127834) remove . from the end of @INC if complex modules are loaded
|
||||
|
||||
While currently Encode and Storable are know to attempt to load modules
|
||||
not included in the core, updates to other modules may lead to those
|
||||
also attempting to load new modules, so be safe and remove . for those
|
||||
as well.
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
lib/CPAN.pm | 4 ++++
|
||||
scripts/cpan | 1 +
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/lib/CPAN.pm b/lib/CPAN.pm
|
||||
index 69cc7b8..ae66eaf 100644
|
||||
--- a/lib/CPAN.pm
|
||||
+++ b/lib/CPAN.pm
|
||||
@@ -1128,6 +1128,8 @@ sub has_usable {
|
||||
]
|
||||
};
|
||||
if ($usable->{$mod}) {
|
||||
+ local @INC = @INC;
|
||||
+ pop @INC if $INC[-1] eq '.';
|
||||
for my $c (0..$#{$usable->{$mod}}) {
|
||||
my $code = $usable->{$mod}[$c];
|
||||
my $ret = eval { &$code() };
|
||||
@@ -1170,6 +1172,8 @@ sub has_inst {
|
||||
$CPAN::META->{dontload_hash}{$mod}||=1; # unsafe meta access, ok
|
||||
return 0;
|
||||
}
|
||||
+ local @INC = @INC;
|
||||
+ pop @INC if $INC[-1] eq '.';
|
||||
my $file = $mod;
|
||||
my $obj;
|
||||
$file =~ s|::|/|g;
|
||||
diff --git a/scripts/cpan b/scripts/cpan
|
||||
index 5555090..cceab30 100644
|
||||
--- a/scripts/cpan
|
||||
+++ b/scripts/cpan
|
||||
@@ -1,5 +1,6 @@
|
||||
#!/usr/local/bin/perl
|
||||
|
||||
+BEGIN { pop @INC if $INC[-1] eq '.' }
|
||||
use strict;
|
||||
use vars qw($VERSION);
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
From 9b0b275d923418306cb3c45bb380bd9dcc71476c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Wed, 12 Oct 2016 16:56:41 +0200
|
||||
Subject: [PATCH] Fix CVE-2016-1238 properly
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Removing "." from @INC does not work because CPAN module translates
|
||||
all relative paths into absolute paths. Check for $INC[-1] eq '.'
|
||||
sooner.
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
lib/App/Cpan.pm | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
|
||||
index c654c2c..ce7afe5 100644
|
||||
--- a/lib/App/Cpan.pm
|
||||
+++ b/lib/App/Cpan.pm
|
||||
@@ -1,5 +1,11 @@
|
||||
package App::Cpan;
|
||||
|
||||
+# CPAN module translantes @INC, CPAN RT#116507
|
||||
+my $last_inc_is_dot;
|
||||
+BEGIN {
|
||||
+ $last_inc_is_dot = $INC[-1] eq '.';
|
||||
+}
|
||||
+
|
||||
use strict;
|
||||
use warnings;
|
||||
use vars qw($VERSION);
|
||||
@@ -555,7 +561,7 @@ sub _safe_load_module {
|
||||
my $name = shift;
|
||||
|
||||
local @INC = @INC;
|
||||
- pop @INC if $INC[-1] eq '.';
|
||||
+ pop @INC if $last_inc_is_dot;
|
||||
|
||||
eval "require $name; 1";
|
||||
}
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
Name: perl-CPAN
|
||||
Version: 2.14
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: Query, download and build perl modules from CPAN sites
|
||||
License: GPL+ or Artistic
|
||||
Group: Development/Libraries
|
||||
|
|
@ -26,8 +26,11 @@ Patch6: CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.p
|
|||
Patch7: CPAN-2.14-Bugfix-47934-version-requirement-with-was-ignored.patch
|
||||
# Cope with non-digit version strings, fixed after 2.14
|
||||
Patch8: CPAN-2.14-accepts_module-must-be-protected-with-an-eval.patch
|
||||
# Fix CVE-2016-1238 properly, CPAN RT#116507
|
||||
Patch9: CPAN-2.14-Fix-CVE-2016-1238-properly.patch
|
||||
# Fix CVE-2016-1238 completely, CPAN RT#116507
|
||||
Patch9: CPAN-2.14-Fix-CVE-2016-1238-completely.patch
|
||||
# Do not search cpan -j file in @INC, required for
|
||||
# Fix-CVE-2016-1238-completely.patch, CPAN RT#116507
|
||||
Patch10: CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch
|
||||
BuildArch: noarch
|
||||
BuildRequires: coreutils
|
||||
BuildRequires: findutils
|
||||
|
|
@ -213,6 +216,7 @@ external download clients to fetch distributions from the net.
|
|||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
# Change configuration name
|
||||
find -type f -exec sed -i -e 's/XCPANCONFIGNAMEX/cpan/g' {} \;
|
||||
# Remove bundled modules
|
||||
|
|
@ -239,6 +243,10 @@ make test
|
|||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Tue Oct 18 2016 Petr Pisar <ppisar@redhat.com> - 2.14-3
|
||||
- Apply remains of CVE-2016-1238 fix from perl (CPAN RT#116507)
|
||||
- Do not search cpan -j file in @INC (CPAN RT#116507)
|
||||
|
||||
* Wed Oct 12 2016 Petr Pisar <ppisar@redhat.com> - 2.14-2
|
||||
- Fix CVE-2016-1238 properly (CPAN RT#116507)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue