Fix CVE-2016-1238 properly
This commit is contained in:
Petr Písař
parent
58510aed74
commit
df7a613c62
|
|
@ -0,0 +1,45 @@
|
|||
From 9b0b275d923418306cb3c45bb380bd9dcc71476c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Wed, 12 Oct 2016 16:56:41 +0200
|
||||
Subject: [PATCH] Fix CVE-2016-1238 properly
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Removing "." from @INC does not work because CPAN module translates
|
||||
all relative paths into absolute paths. Check for $INC[-1] eq '.'
|
||||
sooner.
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
lib/App/Cpan.pm | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
|
||||
index c654c2c..ce7afe5 100644
|
||||
--- a/lib/App/Cpan.pm
|
||||
+++ b/lib/App/Cpan.pm
|
||||
@@ -1,5 +1,11 @@
|
||||
package App::Cpan;
|
||||
|
||||
+# CPAN module translantes @INC, CPAN RT#116507
|
||||
+my $last_inc_is_dot;
|
||||
+BEGIN {
|
||||
+ $last_inc_is_dot = $INC[-1] eq '.';
|
||||
+}
|
||||
+
|
||||
use strict;
|
||||
use warnings;
|
||||
use vars qw($VERSION);
|
||||
@@ -555,7 +561,7 @@ sub _safe_load_module {
|
||||
my $name = shift;
|
||||
|
||||
local @INC = @INC;
|
||||
- pop @INC if $INC[-1] eq '.';
|
||||
+ pop @INC if $last_inc_is_dot;
|
||||
|
||||
eval "require $name; 1";
|
||||
}
|
||||
--
|
||||
2.7.4
|
||||
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
Name: perl-CPAN
|
||||
Version: 2.14
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: Query, download and build perl modules from CPAN sites
|
||||
License: GPL+ or Artistic
|
||||
Group: Development/Libraries
|
||||
|
|
@ -26,6 +26,8 @@ Patch6: CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.p
|
|||
Patch7: CPAN-2.14-Bugfix-47934-version-requirement-with-was-ignored.patch
|
||||
# Cope with non-digit version strings, fixed after 2.14
|
||||
Patch8: CPAN-2.14-accepts_module-must-be-protected-with-an-eval.patch
|
||||
# Fix CVE-2016-1238 properly, CPAN RT#116507
|
||||
Patch9: CPAN-2.14-Fix-CVE-2016-1238-properly.patch
|
||||
BuildArch: noarch
|
||||
BuildRequires: coreutils
|
||||
BuildRequires: findutils
|
||||
|
|
@ -210,6 +212,7 @@ external download clients to fetch distributions from the net.
|
|||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
# Change configuration name
|
||||
find -type f -exec sed -i -e 's/XCPANCONFIGNAMEX/cpan/g' {} \;
|
||||
# Remove bundled modules
|
||||
|
|
@ -236,6 +239,9 @@ make test
|
|||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Wed Oct 12 2016 Petr Pisar <ppisar@redhat.com> - 2.14-2
|
||||
- Fix CVE-2016-1238 properly (CPAN RT#116507)
|
||||
|
||||
* Mon Jun 27 2016 Petr Pisar <ppisar@redhat.com> - 2.14-1
|
||||
- 2.14 bump
|
||||
- Fix installation from a working directory (CPAN RT#115734)
|
||||
|
|
|
|||
Loading…
Reference in New Issue