rpms
/
perl-libnet
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:f37-riscv64
rpms:f37
rpms:main
rpms:f36
rpms:f35
rpms:f34
rpms:f32
rpms:f33
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f25
rpms:f26
rpms:f27
rpms:f23
rpms:f24
...
pull from: rpms:f23
Branches Tags
rpms:f37-riscv64
rpms:f37
rpms:main
rpms:rawhide
rpms:f36
rpms:f35
rpms:f34
rpms:f32
rpms:f33
rpms:f31
rpms:f30
rpms:f29
rpms:f28
rpms:f25
rpms:f26
rpms:f27
rpms:f23
rpms:f24

1 Commits
rawhide ... f23

Author SHA1 Message Date
Jitka Plesnikova 97b5c3fc08 Avoid loading Net::LocalCfg from default . (CVE-2016-1238) 2016-08-01 15:53:05 +02:00
2 changed files with 48 additions and 1 deletions
Show Stats Expand all files Collapse all files

40
libnet-3.08-CVE-2016-1238-avoid-loading-Net-LocalCfg-from-defaul.patch Normal file
View File

@ -0,0 +1,40 @@
From 0d6c5b25583e098b7b85ff89a9a74f8e7d80ba55 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 28 Jul 2016 11:25:58 +1000
Subject: [PATCH] CVE-2016-1238: avoid loading Net::LocalCfg from default .
Net::Cfg treats Net::LocalCfg as an optional load, if a site does not
have Net::LocalCfg in the standard places perl will attempt to load
it from the . entry in @INC.
If the current directory happens to be world writable (like /tmp) an
attacker can create Net/LocalCfg.pm to run code as any user that
runs code that loads Net::Cfg in that directory.
This patch temporarily removes the default . entry from @INC when
loading Net::LocalCfg to prevent that.
---
lib/Net/Config.pm | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/Net/Config.pm b/lib/Net/Config.pm
index 0fb8713..a593538 100644
--- a/lib/Net/Config.pm
+++ b/lib/Net/Config.pm
@@ -24,7 +24,12 @@ our $VERSION = "3.10";
our($CONFIGURE, $LIBNET_CFG);
-eval { local $SIG{__DIE__}; require Net::LocalCfg };
+eval {
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
+ local $SIG{__DIE__};
+ require Net::LocalCfg;
+};
our %NetConfig = (
nntp_hosts => [],
--
2.5.5

9
perl-libnet.spec
View File

@ -1,6 +1,6 @@
Name: perl-libnet
Version: 3.08
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Perl clients for various network protocols
License: GPL+ or Artistic
Group: Development/Libraries
@ -10,6 +10,9 @@ Source0: http://www.cpan.org/authors/id/S/SH/SHAY/libnet-%{version}.tar.g
Patch0: libnet-3.08-Normalize-Changes-encoding.patch
# Do not create Net/libnet.cfg, bug #1238689
Patch1: libnet-3.08-Do-not-create-Net-libnet.cfg.patch
# Avoid loading Net::LocalCfg from default ., CVE-2016-1238,
# in upstream 3.10
Patch2: libnet-3.08-CVE-2016-1238-avoid-loading-Net-LocalCfg-from-defaul.patch
BuildArch: noarch
BuildRequires: coreutils
BuildRequires: findutils
@ -83,6 +86,7 @@ protocols used in the internet community.
%setup -q -n libnet-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build
perl Makefile.PL INSTALLDIRS=vendor </dev/null
@ -103,6 +107,9 @@ make test
%{_mandir}/man3/*
%changelog
* Mon Aug 01 2016 Jitka Plesnikova <jplesnik@redhat.com> - 3.08-2
- Avoid loading Net::LocalCfg from default . (CVE-2016-1238)
* Wed Jan 06 2016 Petr Pisar <ppisar@redhat.com> - 3.08-1
- 8.08 bump