Apply remains of CVE-2016-1238 fix from perl
This require different logic for locating file from -j argument.
This commit is contained in:
parent
df7a613c62
commit
5ec96d5ccb
40
CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch
Normal file
40
CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From 2630498e13ce17ef601f532e4ecec5c0489c72b5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||||
|
Date: Tue, 18 Oct 2016 17:59:58 +0200
|
||||||
|
Subject: [PATCH] Do not search cpan -j file in @INC
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
After removing "." from @INC (CVE-2016-1238), loading explictly
|
||||||
|
specified configuration file with cpan -j using relative path failed.
|
||||||
|
This is because relative paths are subject to @INC search within the
|
||||||
|
"require" function.
|
||||||
|
|
||||||
|
Because cpan already checks the file exists before loading it, it's
|
||||||
|
clear the intention is to load only that file (relative to current
|
||||||
|
working directory).
|
||||||
|
|
||||||
|
Therefore this patch turnes the configuration file name into into
|
||||||
|
absolute path before loading it by "require" function.
|
||||||
|
|
||||||
|
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||||
|
---
|
||||||
|
lib/App/Cpan.pm | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
|
||||||
|
index c654c2c..0f42913 100644
|
||||||
|
--- a/lib/App/Cpan.pm
|
||||||
|
+++ b/lib/App/Cpan.pm
|
||||||
|
@@ -1100,6 +1100,7 @@ sub _load_config # -j
|
||||||
|
delete $INC{'CPAN/Config.pm'};
|
||||||
|
croak( "Config file [$file] does not exist!\n" ) unless -e $file;
|
||||||
|
|
||||||
|
+ $file = File::Spec->rel2abs($file);
|
||||||
|
my $rc = eval "require '$file'";
|
||||||
|
|
||||||
|
# CPAN::HandleConfig::require_myconfig_or_config looks for this
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
63
CPAN-2.14-Fix-CVE-2016-1238-completely.patch
Normal file
63
CPAN-2.14-Fix-CVE-2016-1238-completely.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
From 705b9f68906d584e2d0bf9c2fd634778f1ba9b35 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||||
|
Date: Tue, 18 Oct 2016 14:35:09 +0200
|
||||||
|
Subject: [PATCH] Fix CVE-2016-1238 completely
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
These are remains ported from perl-v5.24.1-RC4 commit:
|
||||||
|
|
||||||
|
commit 5f66e9fffdc3d0c6e0846cd1f11298e70c786c30
|
||||||
|
Author: Tony Cook <tony@develop-help.com>
|
||||||
|
Date: Tue Jun 21 10:02:02 2016 +1000
|
||||||
|
|
||||||
|
(perl #127834) remove . from the end of @INC if complex modules are loaded
|
||||||
|
|
||||||
|
While currently Encode and Storable are know to attempt to load modules
|
||||||
|
not included in the core, updates to other modules may lead to those
|
||||||
|
also attempting to load new modules, so be safe and remove . for those
|
||||||
|
as well.
|
||||||
|
|
||||||
|
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||||
|
---
|
||||||
|
lib/CPAN.pm | 4 ++++
|
||||||
|
scripts/cpan | 1 +
|
||||||
|
2 files changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/CPAN.pm b/lib/CPAN.pm
|
||||||
|
index 69cc7b8..ae66eaf 100644
|
||||||
|
--- a/lib/CPAN.pm
|
||||||
|
+++ b/lib/CPAN.pm
|
||||||
|
@@ -1128,6 +1128,8 @@ sub has_usable {
|
||||||
|
]
|
||||||
|
};
|
||||||
|
if ($usable->{$mod}) {
|
||||||
|
+ local @INC = @INC;
|
||||||
|
+ pop @INC if $INC[-1] eq '.';
|
||||||
|
for my $c (0..$#{$usable->{$mod}}) {
|
||||||
|
my $code = $usable->{$mod}[$c];
|
||||||
|
my $ret = eval { &$code() };
|
||||||
|
@@ -1170,6 +1172,8 @@ sub has_inst {
|
||||||
|
$CPAN::META->{dontload_hash}{$mod}||=1; # unsafe meta access, ok
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+ local @INC = @INC;
|
||||||
|
+ pop @INC if $INC[-1] eq '.';
|
||||||
|
my $file = $mod;
|
||||||
|
my $obj;
|
||||||
|
$file =~ s|::|/|g;
|
||||||
|
diff --git a/scripts/cpan b/scripts/cpan
|
||||||
|
index 5555090..cceab30 100644
|
||||||
|
--- a/scripts/cpan
|
||||||
|
+++ b/scripts/cpan
|
||||||
|
@@ -1,5 +1,6 @@
|
||||||
|
#!/usr/local/bin/perl
|
||||||
|
|
||||||
|
+BEGIN { pop @INC if $INC[-1] eq '.' }
|
||||||
|
use strict;
|
||||||
|
use vars qw($VERSION);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
@ -1,45 +0,0 @@
|
|||||||
From 9b0b275d923418306cb3c45bb380bd9dcc71476c Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
||||||
Date: Wed, 12 Oct 2016 16:56:41 +0200
|
|
||||||
Subject: [PATCH] Fix CVE-2016-1238 properly
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Removing "." from @INC does not work because CPAN module translates
|
|
||||||
all relative paths into absolute paths. Check for $INC[-1] eq '.'
|
|
||||||
sooner.
|
|
||||||
|
|
||||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
||||||
---
|
|
||||||
lib/App/Cpan.pm | 8 +++++++-
|
|
||||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
|
|
||||||
index c654c2c..ce7afe5 100644
|
|
||||||
--- a/lib/App/Cpan.pm
|
|
||||||
+++ b/lib/App/Cpan.pm
|
|
||||||
@@ -1,5 +1,11 @@
|
|
||||||
package App::Cpan;
|
|
||||||
|
|
||||||
+# CPAN module translantes @INC, CPAN RT#116507
|
|
||||||
+my $last_inc_is_dot;
|
|
||||||
+BEGIN {
|
|
||||||
+ $last_inc_is_dot = $INC[-1] eq '.';
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
use strict;
|
|
||||||
use warnings;
|
|
||||||
use vars qw($VERSION);
|
|
||||||
@@ -555,7 +561,7 @@ sub _safe_load_module {
|
|
||||||
my $name = shift;
|
|
||||||
|
|
||||||
local @INC = @INC;
|
|
||||||
- pop @INC if $INC[-1] eq '.';
|
|
||||||
+ pop @INC if $last_inc_is_dot;
|
|
||||||
|
|
||||||
eval "require $name; 1";
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
Name: perl-CPAN
|
Name: perl-CPAN
|
||||||
Version: 2.14
|
Version: 2.14
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: Query, download and build perl modules from CPAN sites
|
Summary: Query, download and build perl modules from CPAN sites
|
||||||
License: GPL+ or Artistic
|
License: GPL+ or Artistic
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
@ -26,8 +26,11 @@ Patch6: CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.p
|
|||||||
Patch7: CPAN-2.14-Bugfix-47934-version-requirement-with-was-ignored.patch
|
Patch7: CPAN-2.14-Bugfix-47934-version-requirement-with-was-ignored.patch
|
||||||
# Cope with non-digit version strings, fixed after 2.14
|
# Cope with non-digit version strings, fixed after 2.14
|
||||||
Patch8: CPAN-2.14-accepts_module-must-be-protected-with-an-eval.patch
|
Patch8: CPAN-2.14-accepts_module-must-be-protected-with-an-eval.patch
|
||||||
# Fix CVE-2016-1238 properly, CPAN RT#116507
|
# Fix CVE-2016-1238 completely, CPAN RT#116507
|
||||||
Patch9: CPAN-2.14-Fix-CVE-2016-1238-properly.patch
|
Patch9: CPAN-2.14-Fix-CVE-2016-1238-completely.patch
|
||||||
|
# Do not search cpan -j file in @INC, required for
|
||||||
|
# Fix-CVE-2016-1238-completely.patch, CPAN RT#116507
|
||||||
|
Patch10: CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
BuildRequires: coreutils
|
BuildRequires: coreutils
|
||||||
BuildRequires: findutils
|
BuildRequires: findutils
|
||||||
@ -213,6 +216,7 @@ external download clients to fetch distributions from the net.
|
|||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
|
%patch10 -p1
|
||||||
# Change configuration name
|
# Change configuration name
|
||||||
find -type f -exec sed -i -e 's/XCPANCONFIGNAMEX/cpan/g' {} \;
|
find -type f -exec sed -i -e 's/XCPANCONFIGNAMEX/cpan/g' {} \;
|
||||||
# Remove bundled modules
|
# Remove bundled modules
|
||||||
@ -239,6 +243,10 @@ make test
|
|||||||
%{_mandir}/man3/*
|
%{_mandir}/man3/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Oct 18 2016 Petr Pisar <ppisar@redhat.com> - 2.14-3
|
||||||
|
- Apply remains of CVE-2016-1238 fix from perl (CPAN RT#116507)
|
||||||
|
- Do not search cpan -j file in @INC (CPAN RT#116507)
|
||||||
|
|
||||||
* Wed Oct 12 2016 Petr Pisar <ppisar@redhat.com> - 2.14-2
|
* Wed Oct 12 2016 Petr Pisar <ppisar@redhat.com> - 2.14-2
|
||||||
- Fix CVE-2016-1238 properly (CPAN RT#116507)
|
- Fix CVE-2016-1238 properly (CPAN RT#116507)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user