From b4dcef779c82bc63f6caeab0e8548178e920bbd0 Mon Sep 17 00:00:00 2001
From: Jitka Plesnikova <jplesnik@redhat.com>
Date: Wed, 3 Aug 2016 08:26:40 +0200
Subject: [PATCH] Avoid loading optional modules from default . (CVE-2016-1238)

---
 ...-avoid-loading-optional-modules-from.patch | 23 +++++++++++++++++++
 perl-IO-Compress.spec                         |  8 ++++++-
 2 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 IO-Compress-2.069-CVE-2016-1238-avoid-loading-optional-modules-from.patch

diff --git a/IO-Compress-2.069-CVE-2016-1238-avoid-loading-optional-modules-from.patch b/IO-Compress-2.069-CVE-2016-1238-avoid-loading-optional-modules-from.patch
new file mode 100644
index 0000000..ec3c056
--- /dev/null
+++ b/IO-Compress-2.069-CVE-2016-1238-avoid-loading-optional-modules-from.patch
@@ -0,0 +1,23 @@
+diff -ru IO-Compress-2.069-orig/bin/zipdetails IO-Compress-2.069/bin/zipdetails
+--- IO-Compress-2.069-orig/bin/zipdetails	2014-01-31 07:52:56.000000000 +1100
++++ IO-Compress-2.069/bin/zipdetails	2016-07-28 10:10:17.812926303 +1000
+@@ -5,6 +5,7 @@
+ # Display info on the contents of a Zip file
+ #
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use warnings ;
+ 
+diff -ru IO-Compress-2.069-orig/lib/IO/Uncompress/AnyUncompress.pm IO-Compress-2.069/lib/IO/Uncompress/AnyUncompress.pm
+--- IO-Compress-2.069-orig/lib/IO/Uncompress/AnyUncompress.pm	2015-09-27 04:34:31.000000000 +1000
++++ IO-Compress-2.069/lib/IO/Uncompress/AnyUncompress.pm	2016-07-28 10:08:45.064332089 +1000
+@@ -27,6 +27,8 @@
+ 
+ BEGIN
+ {
++   local @INC = @INC;
++   pop @INC if $INC[-1] eq '.';
+    eval ' use IO::Uncompress::Adapter::Inflate 2.069 ;';
+    eval ' use IO::Uncompress::Adapter::Bunzip2 2.069 ;';
+    eval ' use IO::Uncompress::Adapter::LZO 2.069 ;';
diff --git a/perl-IO-Compress.spec b/perl-IO-Compress.spec
index 1404219..9cc9b90 100644
--- a/perl-IO-Compress.spec
+++ b/perl-IO-Compress.spec
@@ -3,12 +3,14 @@
 
 Name:           perl-IO-Compress
 Version:        2.069
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Read and write compressed data
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/IO-Compress/
 Source0:        http://search.cpan.org/CPAN/authors/id/P/PM/PMQS/IO-Compress-%{version}.tar.gz
+# Avoid loading optional modules from default . (CVE-2016-1238)
+Patch0:         IO-Compress-2.069-CVE-2016-1238-avoid-loading-optional-modules-from.patch
 BuildArch:      noarch
 # Module Build
 BuildRequires:  coreutils
@@ -80,6 +82,7 @@ included with the IO-Compress distribution:
 
 %prep
 %setup -q -n IO-Compress-%{version}
+%patch0 -p1
 
 # Remove spurious exec permissions
 chmod -c -x lib/IO/Uncompress/{Adapter/Identity,RawInflate}.pm
@@ -130,6 +133,9 @@ make test COMPRESS_ZLIB_RUN_%{?with_long_tests:ALL}%{!?with_long_tests:MOST}=1
 %{_mandir}/man3/IO::Uncompress::*.3*
 
 %changelog
+* Tue Aug 02 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.069-3
+- Avoid loading optional modules from default . (CVE-2016-1238)
+
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.069-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild