Fix CVE-2016-1238 (loading optional modules from current working directory)
This commit is contained in:
parent
3cd333e768
commit
8dadce4f20
|
@ -0,0 +1,82 @@
|
|||
From 394ac06dc5e9e94a81c39c43135d1635f516422e Mon Sep 17 00:00:00 2001
|
||||
From: Tony Cook <tony@develop-help.com>
|
||||
Date: Wed, 27 Jul 2016 12:14:13 +1000
|
||||
Subject: [PATCH] CVE-2016-1238: don't load optional modules from default .
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
App::Cpan attempts to load several optional modules, which an attacker
|
||||
can use if cpan is run from a directory writable by other users, such
|
||||
as /tmp.
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
lib/App/Cpan.pm | 21 ++++++++++++++++-----
|
||||
1 file changed, 16 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
|
||||
index f43dea9..c654c2c 100644
|
||||
--- a/lib/App/Cpan.pm
|
||||
+++ b/lib/App/Cpan.pm
|
||||
@@ -549,9 +549,20 @@ sub AUTOLOAD { 1 }
|
||||
sub DESTROY { 1 }
|
||||
}
|
||||
|
||||
+# load a module without searching the default entry for the current
|
||||
+# directory
|
||||
+sub _safe_load_module {
|
||||
+ my $name = shift;
|
||||
+
|
||||
+ local @INC = @INC;
|
||||
+ pop @INC if $INC[-1] eq '.';
|
||||
+
|
||||
+ eval "require $name; 1";
|
||||
+}
|
||||
+
|
||||
sub _init_logger
|
||||
{
|
||||
- my $log4perl_loaded = eval "require Log::Log4perl; 1";
|
||||
+ my $log4perl_loaded = _safe_load_module("Log::Log4perl");
|
||||
|
||||
unless( $log4perl_loaded )
|
||||
{
|
||||
@@ -1020,7 +1031,7 @@ sub _load_local_lib # -I
|
||||
{
|
||||
$logger->debug( "Loading local::lib" );
|
||||
|
||||
- my $rc = eval { require local::lib; 1; };
|
||||
+ my $rc = _safe_load_module("local::lib");
|
||||
unless( $rc ) {
|
||||
$logger->die( "Could not load local::lib" );
|
||||
}
|
||||
@@ -1160,7 +1171,7 @@ sub _get_file
|
||||
{
|
||||
my $path = shift;
|
||||
|
||||
- my $loaded = eval "require LWP::Simple; 1;";
|
||||
+ my $loaded = _safe_load_module("LWP::Simple");
|
||||
croak "You need LWP::Simple to use features that fetch files from CPAN\n"
|
||||
unless $loaded;
|
||||
|
||||
@@ -1182,7 +1193,7 @@ sub _gitify
|
||||
{
|
||||
my $args = shift;
|
||||
|
||||
- my $loaded = eval "require Archive::Extract; 1;";
|
||||
+ my $loaded = _safe_load_module("Archive::Extract");
|
||||
croak "You need Archive::Extract to use features that gitify distributions\n"
|
||||
unless $loaded;
|
||||
|
||||
@@ -1245,7 +1256,7 @@ sub _show_Changes
|
||||
sub _get_changes_file
|
||||
{
|
||||
croak "Reading Changes files requires LWP::Simple and URI\n"
|
||||
- unless eval "require LWP::Simple; require URI; 1";
|
||||
+ unless _safe_load_module("LWP::Simple") && _safe_load_module("URI");
|
||||
|
||||
my $url = shift;
|
||||
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -19,6 +19,9 @@ Patch3: CPAN-2.14-Emergency-fix-for-cpan-o.patch
|
|||
Patch4: CPAN-2.14-Prevent-trying-Net-FTP-when-an-ftp_proxy-variable-is.patch
|
||||
# Recognize URL schemata disregarding the case, fixed after 2.14
|
||||
Patch5: CPAN-2.14-URL-schemes-are-case-tolerant-so-the-regexp-should-h.patch
|
||||
# Fix CVE-2016-1238 (loading optional modules from current working directory),
|
||||
# CPAN RT#116507, fixed after 2.14
|
||||
Patch6: CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch
|
||||
BuildArch: noarch
|
||||
BuildRequires: coreutils
|
||||
BuildRequires: findutils
|
||||
|
@ -200,6 +203,7 @@ external download clients to fetch distributions from the net.
|
|||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
# Change configuration name
|
||||
find -type f -exec sed -i -e 's/XCPANCONFIGNAMEX/cpan/g' {} \;
|
||||
# Remove bundled modules
|
||||
|
@ -233,6 +237,7 @@ make test
|
|||
- Do not use Net::FTP if ftp_proxy variable points to an HTTP server
|
||||
(CPAN RT#110833)
|
||||
- Recognize URL schemata disregarding the case
|
||||
- Fix CVE-2016-1238 (loading optional modules from current working directory)
|
||||
|
||||
* Wed May 18 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.11-366
|
||||
- Perl 5.24 re-rebuild of bootstrapped packages
|
||||
|
|
Loading…
Reference in New Issue