Avoid loading optional modules from default . (CVE-2016-1238)

This commit is contained in:
Jitka Plesnikova 2016-08-02 17:32:05 +02:00
parent 4526b63a70
commit 0387ba0667
2 changed files with 30 additions and 1 deletions

View File

@ -0,0 +1,23 @@
diff -ru IO-Compress-2.069-orig/bin/zipdetails IO-Compress-2.069/bin/zipdetails
--- IO-Compress-2.069-orig/bin/zipdetails 2014-01-31 07:52:56.000000000 +1100
+++ IO-Compress-2.069/bin/zipdetails 2016-07-28 10:10:17.812926303 +1000
@@ -5,6 +5,7 @@
# Display info on the contents of a Zip file
#
+BEGIN { pop @INC if $INC[-1] eq '.' }
use strict;
use warnings ;
diff -ru IO-Compress-2.069-orig/lib/IO/Uncompress/AnyUncompress.pm IO-Compress-2.069/lib/IO/Uncompress/AnyUncompress.pm
--- IO-Compress-2.069-orig/lib/IO/Uncompress/AnyUncompress.pm 2015-09-27 04:34:31.000000000 +1000
+++ IO-Compress-2.069/lib/IO/Uncompress/AnyUncompress.pm 2016-07-28 10:08:45.064332089 +1000
@@ -27,6 +27,8 @@
BEGIN
{
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
eval ' use IO::Uncompress::Adapter::Inflate 2.069 ;';
eval ' use IO::Uncompress::Adapter::Bunzip2 2.069 ;';
eval ' use IO::Uncompress::Adapter::LZO 2.069 ;';

View File

@ -3,12 +3,14 @@
Name: perl-IO-Compress
Version: 2.069
Release: 366%{?dist}
Release: 367%{?dist}
Summary: Read and write compressed data
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/IO-Compress/
Source0: http://search.cpan.org/CPAN/authors/id/P/PM/PMQS/IO-Compress-%{version}.tar.gz
# Avoid loading optional modules from default . (CVE-2016-1238)
Patch0: IO-Compress-2.069-CVE-2016-1238-avoid-loading-optional-modules-from.patch
BuildArch: noarch
# Module Build
BuildRequires: coreutils
@ -81,6 +83,7 @@ included with the IO-Compress distribution:
%prep
%setup -q -n IO-Compress-%{version}
%patch0 -p1
# Remove spurious exec permissions
chmod -c -x lib/IO/Uncompress/{Adapter/Identity,RawInflate}.pm
@ -131,6 +134,9 @@ make test COMPRESS_ZLIB_RUN_%{?with_long_tests:ALL}%{!?with_long_tests:MOST}=1
%{_mandir}/man3/IO::Uncompress::*.3*
%changelog
* Tue Aug 02 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.069-367
- Avoid loading optional modules from default . (CVE-2016-1238)
* Wed May 18 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.069-366
- Perl 5.24 re-rebuild of bootstrapped packages