64 lines
1.8 KiB
Diff
64 lines
1.8 KiB
Diff
From 705b9f68906d584e2d0bf9c2fd634778f1ba9b35 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
Date: Tue, 18 Oct 2016 14:35:09 +0200
|
|
Subject: [PATCH] Fix CVE-2016-1238 completely
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
These are remains ported from perl-v5.24.1-RC4 commit:
|
|
|
|
commit 5f66e9fffdc3d0c6e0846cd1f11298e70c786c30
|
|
Author: Tony Cook <tony@develop-help.com>
|
|
Date: Tue Jun 21 10:02:02 2016 +1000
|
|
|
|
(perl #127834) remove . from the end of @INC if complex modules are loaded
|
|
|
|
While currently Encode and Storable are know to attempt to load modules
|
|
not included in the core, updates to other modules may lead to those
|
|
also attempting to load new modules, so be safe and remove . for those
|
|
as well.
|
|
|
|
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
---
|
|
lib/CPAN.pm | 4 ++++
|
|
scripts/cpan | 1 +
|
|
2 files changed, 5 insertions(+)
|
|
|
|
diff --git a/lib/CPAN.pm b/lib/CPAN.pm
|
|
index 69cc7b8..ae66eaf 100644
|
|
--- a/lib/CPAN.pm
|
|
+++ b/lib/CPAN.pm
|
|
@@ -1128,6 +1128,8 @@ sub has_usable {
|
|
]
|
|
};
|
|
if ($usable->{$mod}) {
|
|
+ local @INC = @INC;
|
|
+ pop @INC if $INC[-1] eq '.';
|
|
for my $c (0..$#{$usable->{$mod}}) {
|
|
my $code = $usable->{$mod}[$c];
|
|
my $ret = eval { &$code() };
|
|
@@ -1170,6 +1172,8 @@ sub has_inst {
|
|
$CPAN::META->{dontload_hash}{$mod}||=1; # unsafe meta access, ok
|
|
return 0;
|
|
}
|
|
+ local @INC = @INC;
|
|
+ pop @INC if $INC[-1] eq '.';
|
|
my $file = $mod;
|
|
my $obj;
|
|
$file =~ s|::|/|g;
|
|
diff --git a/scripts/cpan b/scripts/cpan
|
|
index 5555090..cceab30 100644
|
|
--- a/scripts/cpan
|
|
+++ b/scripts/cpan
|
|
@@ -1,5 +1,6 @@
|
|
#!/usr/local/bin/perl
|
|
|
|
+BEGIN { pop @INC if $INC[-1] eq '.' }
|
|
use strict;
|
|
use vars qw($VERSION);
|
|
|
|
--
|
|
2.7.4
|
|
|