Compare commits
1 Commits
Author | SHA1 | Date |
---|---|---|
Jitka Plesnikova | 97b5c3fc08 |
|
@ -0,0 +1,40 @@
|
|||
From 0d6c5b25583e098b7b85ff89a9a74f8e7d80ba55 Mon Sep 17 00:00:00 2001
|
||||
From: Tony Cook <tony@develop-help.com>
|
||||
Date: Thu, 28 Jul 2016 11:25:58 +1000
|
||||
Subject: [PATCH] CVE-2016-1238: avoid loading Net::LocalCfg from default .
|
||||
|
||||
Net::Cfg treats Net::LocalCfg as an optional load, if a site does not
|
||||
have Net::LocalCfg in the standard places perl will attempt to load
|
||||
it from the . entry in @INC.
|
||||
|
||||
If the current directory happens to be world writable (like /tmp) an
|
||||
attacker can create Net/LocalCfg.pm to run code as any user that
|
||||
runs code that loads Net::Cfg in that directory.
|
||||
|
||||
This patch temporarily removes the default . entry from @INC when
|
||||
loading Net::LocalCfg to prevent that.
|
||||
---
|
||||
lib/Net/Config.pm | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/Net/Config.pm b/lib/Net/Config.pm
|
||||
index 0fb8713..a593538 100644
|
||||
--- a/lib/Net/Config.pm
|
||||
+++ b/lib/Net/Config.pm
|
||||
@@ -24,7 +24,12 @@ our $VERSION = "3.10";
|
||||
|
||||
our($CONFIGURE, $LIBNET_CFG);
|
||||
|
||||
-eval { local $SIG{__DIE__}; require Net::LocalCfg };
|
||||
+eval {
|
||||
+ local @INC = @INC;
|
||||
+ pop @INC if $INC[-1] eq '.';
|
||||
+ local $SIG{__DIE__};
|
||||
+ require Net::LocalCfg;
|
||||
+};
|
||||
|
||||
our %NetConfig = (
|
||||
nntp_hosts => [],
|
||||
--
|
||||
2.5.5
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
Name: perl-libnet
|
||||
Version: 3.08
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: Perl clients for various network protocols
|
||||
License: GPL+ or Artistic
|
||||
Group: Development/Libraries
|
||||
|
@ -10,6 +10,9 @@ Source0: http://www.cpan.org/authors/id/S/SH/SHAY/libnet-%{version}.tar.g
|
|||
Patch0: libnet-3.08-Normalize-Changes-encoding.patch
|
||||
# Do not create Net/libnet.cfg, bug #1238689
|
||||
Patch1: libnet-3.08-Do-not-create-Net-libnet.cfg.patch
|
||||
# Avoid loading Net::LocalCfg from default ., CVE-2016-1238,
|
||||
# in upstream 3.10
|
||||
Patch2: libnet-3.08-CVE-2016-1238-avoid-loading-Net-LocalCfg-from-defaul.patch
|
||||
BuildArch: noarch
|
||||
BuildRequires: coreutils
|
||||
BuildRequires: findutils
|
||||
|
@ -83,6 +86,7 @@ protocols used in the internet community.
|
|||
%setup -q -n libnet-%{version}
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
|
||||
%build
|
||||
perl Makefile.PL INSTALLDIRS=vendor </dev/null
|
||||
|
@ -103,6 +107,9 @@ make test
|
|||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Mon Aug 01 2016 Jitka Plesnikova <jplesnik@redhat.com> - 3.08-2
|
||||
- Avoid loading Net::LocalCfg from default . (CVE-2016-1238)
|
||||
|
||||
* Wed Jan 06 2016 Petr Pisar <ppisar@redhat.com> - 3.08-1
|
||||
- 8.08 bump
|
||||
|
||||
|
|
Loading…
Reference in New Issue