Fix CVE-2016-1238 (loading optional modules from current working directory)

CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch

@@ -0,0 +1,82 @@
+From 394ac06dc5e9e94a81c39c43135d1635f516422e Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Wed, 27 Jul 2016 12:14:13 +1000
+Subject: [PATCH] CVE-2016-1238: don't load optional modules from default .
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+App::Cpan attempts to load several optional modules, which an attacker
+can use if cpan is run from a directory writable by other users, such
+as /tmp.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ lib/App/Cpan.pm | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
+index f43dea9..c654c2c 100644
+--- a/lib/App/Cpan.pm
++++ b/lib/App/Cpan.pm
+@@ -549,9 +549,20 @@ sub AUTOLOAD { 1 }
+ sub DESTROY { 1 }
+ }
+ 
++# load a module without searching the default entry for the current
++# directory
++sub _safe_load_module {
++    my $name = shift;
++
++    local @INC = @INC;
++    pop @INC if $INC[-1] eq '.';
++
++    eval "require $name; 1";
++}
++
+ sub _init_logger
+ 	{
+-	my $log4perl_loaded = eval "require Log::Log4perl; 1";
++	my $log4perl_loaded = _safe_load_module("Log::Log4perl");
+ 
+     unless( $log4perl_loaded )
+         {
+@@ -1020,7 +1031,7 @@ sub _load_local_lib # -I
+ 	{
+ 	$logger->debug( "Loading local::lib" );
+ 
+-	my $rc = eval { require local::lib; 1; };
++	my $rc = _safe_load_module("local::lib");
+ 	unless( $rc ) {
+ 		$logger->die( "Could not load local::lib" );
+ 		}
+@@ -1160,7 +1171,7 @@ sub _get_file
+ 	{
+ 	my $path = shift;
+ 
+-	my $loaded = eval "require LWP::Simple; 1;";
++	my $loaded = _safe_load_module("LWP::Simple");
+ 	croak "You need LWP::Simple to use features that fetch files from CPAN\n"
+ 		unless $loaded;
+ 
+@@ -1182,7 +1193,7 @@ sub _gitify
+ 	{
+ 	my $args = shift;
+ 
+-	my $loaded = eval "require Archive::Extract; 1;";
++	my $loaded = _safe_load_module("Archive::Extract");
+ 	croak "You need Archive::Extract to use features that gitify distributions\n"
+ 		unless $loaded;
+ 
+@@ -1245,7 +1256,7 @@ sub _show_Changes
+ sub _get_changes_file
+ 	{
+ 	croak "Reading Changes files requires LWP::Simple and URI\n"
+-		unless eval "require LWP::Simple; require URI; 1";
++		unless _safe_load_module("LWP::Simple") && _safe_load_module("URI");
+ 
+     my $url = shift;
+ 
+-- 
+2.7.4
+

perl-CPAN.spec

@@ -19,6 +19,9 @@ Patch3:         CPAN-2.14-Emergency-fix-for-cpan-o.patch
 Patch4:         CPAN-2.14-Prevent-trying-Net-FTP-when-an-ftp_proxy-variable-is.patch
 # Recognize URL schemata disregarding the case, fixed after 2.14
 Patch5:         CPAN-2.14-URL-schemes-are-case-tolerant-so-the-regexp-should-h.patch
+# Fix CVE-2016-1238 (loading optional modules from current working directory),
+# CPAN RT#116507, fixed after 2.14
+Patch6:         CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch
 BuildArch:      noarch
 BuildRequires:  coreutils
 BuildRequires:  findutils
@@ -200,6 +203,7 @@ external download clients to fetch distributions from the net.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 # Change configuration name
 find -type f -exec sed -i -e 's/XCPANCONFIGNAMEX/cpan/g' {} \;
 # Remove bundled modules
@@ -233,6 +237,7 @@ make test
 - Do not use Net::FTP if ftp_proxy variable points to an HTTP server
   (CPAN RT#110833)
 - Recognize URL schemata disregarding the case
+- Fix CVE-2016-1238 (loading optional modules from current working directory)
 
 * Wed May 18 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.11-366
 - Perl 5.24 re-rebuild of bootstrapped packages