From 5ec96d5ccbc31260508756cd43f9207096eaefe8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 18 Oct 2016 15:16:15 +0200
Subject: [PATCH] Apply remains of CVE-2016-1238 fix from perl

This require different logic for locating file from -j argument.
---
 ....14-Do-not-search-cpan-j-file-in-INC.patch | 40 ++++++++++++
 CPAN-2.14-Fix-CVE-2016-1238-completely.patch  | 63 +++++++++++++++++++
 CPAN-2.14-Fix-CVE-2016-1238-properly.patch    | 45 -------------
 perl-CPAN.spec                                | 14 ++++-
 4 files changed, 114 insertions(+), 48 deletions(-)
 create mode 100644 CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch
 create mode 100644 CPAN-2.14-Fix-CVE-2016-1238-completely.patch
 delete mode 100644 CPAN-2.14-Fix-CVE-2016-1238-properly.patch

diff --git a/CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch b/CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch
new file mode 100644
index 0000000..ce6501b
--- /dev/null
+++ b/CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch
@@ -0,0 +1,40 @@
+From 2630498e13ce17ef601f532e4ecec5c0489c72b5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Tue, 18 Oct 2016 17:59:58 +0200
+Subject: [PATCH] Do not search cpan -j file in @INC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+After removing "." from @INC (CVE-2016-1238), loading explictly
+specified configuration file with cpan -j using relative path failed.
+This is because relative paths are subject to @INC search within the
+"require" function.
+
+Because cpan already checks the file exists before loading it, it's
+clear the intention is to load only that file (relative to current
+working directory).
+
+Therefore this patch turnes the configuration file name into into
+absolute path before loading it by "require" function.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ lib/App/Cpan.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
+index c654c2c..0f42913 100644
+--- a/lib/App/Cpan.pm
++++ b/lib/App/Cpan.pm
+@@ -1100,6 +1100,7 @@ sub _load_config # -j
+ 	delete $INC{'CPAN/Config.pm'};
+ 	croak( "Config file [$file] does not exist!\n" ) unless -e $file;
+ 
++	$file = File::Spec->rel2abs($file);
+ 	my $rc = eval "require '$file'";
+ 
+ 	# CPAN::HandleConfig::require_myconfig_or_config looks for this
+-- 
+2.7.4
+
diff --git a/CPAN-2.14-Fix-CVE-2016-1238-completely.patch b/CPAN-2.14-Fix-CVE-2016-1238-completely.patch
new file mode 100644
index 0000000..f5ac162
--- /dev/null
+++ b/CPAN-2.14-Fix-CVE-2016-1238-completely.patch
@@ -0,0 +1,63 @@
+From 705b9f68906d584e2d0bf9c2fd634778f1ba9b35 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Tue, 18 Oct 2016 14:35:09 +0200
+Subject: [PATCH] Fix CVE-2016-1238 completely
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+These are remains ported from perl-v5.24.1-RC4 commit:
+
+commit 5f66e9fffdc3d0c6e0846cd1f11298e70c786c30
+Author: Tony Cook <tony@develop-help.com>
+Date:   Tue Jun 21 10:02:02 2016 +1000
+
+    (perl #127834) remove . from the end of @INC if complex modules are loaded
+
+    While currently Encode and Storable are know to attempt to load modules
+    not included in the core, updates to other modules may lead to those
+    also attempting to load new modules, so be safe and remove . for those
+    as well.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ lib/CPAN.pm  | 4 ++++
+ scripts/cpan | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/lib/CPAN.pm b/lib/CPAN.pm
+index 69cc7b8..ae66eaf 100644
+--- a/lib/CPAN.pm
++++ b/lib/CPAN.pm
+@@ -1128,6 +1128,8 @@ sub has_usable {
+                                ]
+               };
+     if ($usable->{$mod}) {
++        local @INC = @INC;
++        pop @INC if $INC[-1] eq '.';
+         for my $c (0..$#{$usable->{$mod}}) {
+             my $code = $usable->{$mod}[$c];
+             my $ret = eval { &$code() };
+@@ -1170,6 +1172,8 @@ sub has_inst {
+       $CPAN::META->{dontload_hash}{$mod}||=1; # unsafe meta access, ok
+       return 0;
+     }
++    local @INC = @INC;
++    pop @INC if $INC[-1] eq '.';
+     my $file = $mod;
+     my $obj;
+     $file =~ s|::|/|g;
+diff --git a/scripts/cpan b/scripts/cpan
+index 5555090..cceab30 100644
+--- a/scripts/cpan
++++ b/scripts/cpan
+@@ -1,5 +1,6 @@
+ #!/usr/local/bin/perl
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use vars qw($VERSION);
+ 
+-- 
+2.7.4
+
diff --git a/CPAN-2.14-Fix-CVE-2016-1238-properly.patch b/CPAN-2.14-Fix-CVE-2016-1238-properly.patch
deleted file mode 100644
index bc5100c..0000000
--- a/CPAN-2.14-Fix-CVE-2016-1238-properly.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 9b0b275d923418306cb3c45bb380bd9dcc71476c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
-Date: Wed, 12 Oct 2016 16:56:41 +0200
-Subject: [PATCH] Fix CVE-2016-1238 properly
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Removing "." from @INC does not work because CPAN module translates
-all relative paths into absolute paths. Check for $INC[-1] eq '.'
-sooner.
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- lib/App/Cpan.pm | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
-index c654c2c..ce7afe5 100644
---- a/lib/App/Cpan.pm
-+++ b/lib/App/Cpan.pm
-@@ -1,5 +1,11 @@
- package App::Cpan;
- 
-+# CPAN module translantes @INC, CPAN RT#116507
-+my $last_inc_is_dot;
-+BEGIN {
-+    $last_inc_is_dot = $INC[-1] eq '.';
-+}
-+
- use strict;
- use warnings;
- use vars qw($VERSION);
-@@ -555,7 +561,7 @@ sub _safe_load_module {
-     my $name = shift;
- 
-     local @INC = @INC;
--    pop @INC if $INC[-1] eq '.';
-+    pop @INC if $last_inc_is_dot;
- 
-     eval "require $name; 1";
- }
--- 
-2.7.4
-
diff --git a/perl-CPAN.spec b/perl-CPAN.spec
index 05cc4a7..701a0a4 100644
--- a/perl-CPAN.spec
+++ b/perl-CPAN.spec
@@ -1,6 +1,6 @@
 Name:           perl-CPAN
 Version:        2.14
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Query, download and build perl modules from CPAN sites
 License:        GPL+ or Artistic
 Group:          Development/Libraries
@@ -26,8 +26,11 @@ Patch6:         CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.p
 Patch7:         CPAN-2.14-Bugfix-47934-version-requirement-with-was-ignored.patch
 # Cope with non-digit version strings, fixed after 2.14
 Patch8:         CPAN-2.14-accepts_module-must-be-protected-with-an-eval.patch
-# Fix CVE-2016-1238 properly, CPAN RT#116507
-Patch9:         CPAN-2.14-Fix-CVE-2016-1238-properly.patch
+# Fix CVE-2016-1238 completely, CPAN RT#116507
+Patch9:         CPAN-2.14-Fix-CVE-2016-1238-completely.patch
+# Do not search cpan -j file in @INC, required for
+# Fix-CVE-2016-1238-completely.patch, CPAN RT#116507
+Patch10:        CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch
 BuildArch:      noarch
 BuildRequires:  coreutils
 BuildRequires:  findutils
@@ -213,6 +216,7 @@ external download clients to fetch distributions from the net.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 # Change configuration name
 find -type f -exec sed -i -e 's/XCPANCONFIGNAMEX/cpan/g' {} \;
 # Remove bundled modules
@@ -239,6 +243,10 @@ make test
 %{_mandir}/man3/*
 
 %changelog
+* Tue Oct 18 2016 Petr Pisar <ppisar@redhat.com> - 2.14-3
+- Apply remains of CVE-2016-1238 fix from perl (CPAN RT#116507)
+- Do not search cpan -j file in @INC (CPAN RT#116507)
+
 * Wed Oct 12 2016 Petr Pisar <ppisar@redhat.com> - 2.14-2
 - Fix CVE-2016-1238 properly (CPAN RT#116507)