Avoid loading optional modules from default . (CVE-2016-1238)

PathTools-3.63-CVE-2016-1238-avoid-loading-optional-modules-from.patch

@@ -0,0 +1,62 @@
+diff -up PathTools/Cwd.pm.cve PathTools/Cwd.pm
+--- PathTools/Cwd.pm.cve	2016-03-01 13:33:02.000000000 +0100
++++ PathTools/Cwd.pm	2016-08-02 13:39:39.814316060 +0200
+@@ -40,7 +40,10 @@ if ($^O eq 'os2') {
+ my $use_vms_feature;
+ BEGIN {
+     if ($^O eq 'VMS') {
+-        if (eval { local $SIG{__DIE__}; require VMS::Feature; }) {
++        if (eval { local $SIG{__DIE__};
++                   local @INC = @INC;
++                   pop @INC if $INC[-1] eq '.';
++                   require VMS::Feature; }) {
+             $use_vms_feature = 1;
+         }
+     }
+diff -up PathTools/lib/File/Spec/Cygwin.pm.cve PathTools/lib/File/Spec/Cygwin.pm
+--- PathTools/lib/File/Spec/Cygwin.pm.cve	2016-03-01 13:33:02.000000000 +0100
++++ PathTools/lib/File/Spec/Cygwin.pm	2016-08-02 13:39:39.814316060 +0200
+@@ -137,7 +137,11 @@ sub case_tolerant {
+   if ($mntopts and ($mntopts =~ /,managed/)) {
+     return 0;
+   }
+-  eval { require Win32API::File; } or return 1;
++  eval {
++      local @INC = @INC;
++      pop @INC if $INC[-1] eq '.';
++      require Win32API::File;
++  } or return 1;
+   my $osFsType = "\0"x256;
+   my $osVolName = "\0"x256;
+   my $ouFsFlags = 0;
+diff -up PathTools/lib/File/Spec/VMS.pm.cve PathTools/lib/File/Spec/VMS.pm
+--- PathTools/lib/File/Spec/VMS.pm.cve	2016-03-01 13:33:02.000000000 +0100
++++ PathTools/lib/File/Spec/VMS.pm	2016-08-02 13:39:39.814316060 +0200
+@@ -39,7 +39,10 @@ via the C<DECC$FILENAME_UNIX_REPORT> CRT
+ 
+ my $use_feature;
+ BEGIN {
+-    if (eval { local $SIG{__DIE__}; require VMS::Feature; }) {
++    if (eval { local $SIG{__DIE__};
++               local @INC = @INC;
++               pop @INC if $INC[-1] eq '.';
++               require VMS::Feature; }) {
+         $use_feature = 1;
+     }
+ }
+diff -up PathTools/lib/File/Spec/Win32.pm.cve PathTools/lib/File/Spec/Win32.pm
+--- PathTools/lib/File/Spec/Win32.pm.cve	2016-03-01 13:33:02.000000000 +0100
++++ PathTools/lib/File/Spec/Win32.pm	2016-08-02 13:39:39.814316060 +0200
+@@ -90,7 +90,11 @@ Default: 1
+ =cut
+ 
+ sub case_tolerant {
+-  eval { require Win32API::File; } or return 1;
++  eval {
++    local @INC = @INC;
++    pop @INC if $INC[-1] eq '.';
++    require Win32API::File;
++  } or return 1;
+   my $drive = shift || "C:";
+   my $osFsType = "\0"x256;
+   my $osVolName = "\0"x256;

perl-PathTools.spec

@@ -1,7 +1,7 @@
 %global base_version 3.62
 Name:           perl-PathTools
 Version:        3.63
-Release:        365%{?dist}
+Release:        366%{?dist}
 Summary:        PathTools Perl module (Cwd, File::Spec)
 License:        (GPL+ or Artistic) and BSD
 Group:          Development/Libraries
@@ -11,6 +11,8 @@ Source0:        http://www.cpan.org/authors/id/R/RJ/RJBS/PathTools-%{base_versio
 Patch0:         PathTools-3.47-Disable-VMS-tests.patch
 # Unbundled from perl 5.24.0
 Patch1:         PathTools-3.62-Upgrade-to-3.63.patch
+# Avoid loading optional modules from default . (CVE-2016-1238)
+Patch2:         PathTools-3.63-CVE-2016-1238-avoid-loading-optional-modules-from.patch
 BuildRequires:  coreutils
 BuildRequires:  findutils
 BuildRequires:  gcc
@@ -48,6 +50,7 @@ This is the combined distribution for the File::Spec and Cwd modules.
 %setup -q -n PathTools-%{base_version}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 # Do not distribute File::Spec::VMS as it works on VMS only (bug #973713)
 rm lib/File/Spec/VMS.pm
@@ -78,6 +81,9 @@ make test
 %{_mandir}/man3/*
 
 %changelog
+* Wed Aug 03 2016 Jitka Plesnikova <jplesnik@redhat.com> - 3.63-366
+- Avoid loading optional modules from default . (CVE-2016-1238)
+
 * Sat May 14 2016 Jitka Plesnikova <jplesnik@redhat.com> - 3.63-365
 - Increase release to favour standalone package