From df7a613c62b790af8062a933e4561badee2394e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Wed, 12 Oct 2016 17:10:18 +0200
Subject: [PATCH] Fix CVE-2016-1238 properly

---
 CPAN-2.14-Fix-CVE-2016-1238-properly.patch | 45 ++++++++++++++++++++++
 perl-CPAN.spec                             |  8 +++-
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 CPAN-2.14-Fix-CVE-2016-1238-properly.patch

diff --git a/CPAN-2.14-Fix-CVE-2016-1238-properly.patch b/CPAN-2.14-Fix-CVE-2016-1238-properly.patch
new file mode 100644
index 0000000..bc5100c
--- /dev/null
+++ b/CPAN-2.14-Fix-CVE-2016-1238-properly.patch
@@ -0,0 +1,45 @@
+From 9b0b275d923418306cb3c45bb380bd9dcc71476c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Wed, 12 Oct 2016 16:56:41 +0200
+Subject: [PATCH] Fix CVE-2016-1238 properly
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Removing "." from @INC does not work because CPAN module translates
+all relative paths into absolute paths. Check for $INC[-1] eq '.'
+sooner.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ lib/App/Cpan.pm | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
+index c654c2c..ce7afe5 100644
+--- a/lib/App/Cpan.pm
++++ b/lib/App/Cpan.pm
+@@ -1,5 +1,11 @@
+ package App::Cpan;
+ 
++# CPAN module translantes @INC, CPAN RT#116507
++my $last_inc_is_dot;
++BEGIN {
++    $last_inc_is_dot = $INC[-1] eq '.';
++}
++
+ use strict;
+ use warnings;
+ use vars qw($VERSION);
+@@ -555,7 +561,7 @@ sub _safe_load_module {
+     my $name = shift;
+ 
+     local @INC = @INC;
+-    pop @INC if $INC[-1] eq '.';
++    pop @INC if $last_inc_is_dot;
+ 
+     eval "require $name; 1";
+ }
+-- 
+2.7.4
+
diff --git a/perl-CPAN.spec b/perl-CPAN.spec
index 6724388..05cc4a7 100644
--- a/perl-CPAN.spec
+++ b/perl-CPAN.spec
@@ -1,6 +1,6 @@
 Name:           perl-CPAN
 Version:        2.14
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Query, download and build perl modules from CPAN sites
 License:        GPL+ or Artistic
 Group:          Development/Libraries
@@ -26,6 +26,8 @@ Patch6:         CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.p
 Patch7:         CPAN-2.14-Bugfix-47934-version-requirement-with-was-ignored.patch
 # Cope with non-digit version strings, fixed after 2.14
 Patch8:         CPAN-2.14-accepts_module-must-be-protected-with-an-eval.patch
+# Fix CVE-2016-1238 properly, CPAN RT#116507
+Patch9:         CPAN-2.14-Fix-CVE-2016-1238-properly.patch
 BuildArch:      noarch
 BuildRequires:  coreutils
 BuildRequires:  findutils
@@ -210,6 +212,7 @@ external download clients to fetch distributions from the net.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 # Change configuration name
 find -type f -exec sed -i -e 's/XCPANCONFIGNAMEX/cpan/g' {} \;
 # Remove bundled modules
@@ -236,6 +239,9 @@ make test
 %{_mandir}/man3/*
 
 %changelog
+* Wed Oct 12 2016 Petr Pisar <ppisar@redhat.com> - 2.14-2
+- Fix CVE-2016-1238 properly (CPAN RT#116507)
+
 * Mon Jun 27 2016 Petr Pisar <ppisar@redhat.com> - 2.14-1
 - 2.14 bump
 - Fix installation from a working directory (CPAN RT#115734)