From 705b9f68906d584e2d0bf9c2fd634778f1ba9b35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 18 Oct 2016 14:35:09 +0200
Subject: [PATCH] Fix CVE-2016-1238 completely
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These are remains ported from perl-v5.24.1-RC4 commit:

commit 5f66e9fffdc3d0c6e0846cd1f11298e70c786c30
Author: Tony Cook <tony@develop-help.com>
Date:   Tue Jun 21 10:02:02 2016 +1000

    (perl #127834) remove . from the end of @INC if complex modules are loaded

    While currently Encode and Storable are know to attempt to load modules
    not included in the core, updates to other modules may lead to those
    also attempting to load new modules, so be safe and remove . for those
    as well.

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 lib/CPAN.pm  | 4 ++++
 scripts/cpan | 1 +
 2 files changed, 5 insertions(+)

diff --git a/lib/CPAN.pm b/lib/CPAN.pm
index 69cc7b8..ae66eaf 100644
--- a/lib/CPAN.pm
+++ b/lib/CPAN.pm
@@ -1128,6 +1128,8 @@ sub has_usable {
                                ]
               };
     if ($usable->{$mod}) {
+        local @INC = @INC;
+        pop @INC if $INC[-1] eq '.';
         for my $c (0..$#{$usable->{$mod}}) {
             my $code = $usable->{$mod}[$c];
             my $ret = eval { &$code() };
@@ -1170,6 +1172,8 @@ sub has_inst {
       $CPAN::META->{dontload_hash}{$mod}||=1; # unsafe meta access, ok
       return 0;
     }
+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
     my $file = $mod;
     my $obj;
     $file =~ s|::|/|g;
diff --git a/scripts/cpan b/scripts/cpan
index 5555090..cceab30 100644
--- a/scripts/cpan
+++ b/scripts/cpan
@@ -1,5 +1,6 @@
 #!/usr/local/bin/perl
 
+BEGIN { pop @INC if $INC[-1] eq '.' }
 use strict;
 use vars qw($VERSION);
 
-- 
2.7.4