On Mon, Jul 25, 2016 at 03:48:13PM +0100, Dominic Hargreaves wrote: > An update for this package has been released as part of our handling for > the issue described below. This fixes an instance of the dynamic module > loading vulnerability alluded to. > > I attach the patch I applied for jessie; please could you review this > and apply something similar for sid?
Thanks for the notice. > From ec54f8919620d6b064f0c61015af553570c2ee3a Mon Sep 17 00:00:00 2001 > From: Dominic Hargreaves <d...@earth.li> > Date: Mon, 25 Jul 2016 10:06:19 +0100 > Subject: [PATCH 1/2] Remove . from @INC when loading modules dynamically > [CVE-2016-1238] > > diff --git a/scripts/desktop2menu.pl b/scripts/desktop2menu.pl > index f97551d..92c99f8 100755 > --- a/scripts/desktop2menu.pl > +++ b/scripts/desktop2menu.pl > @@ -64,6 +64,7 @@ use File::Basename; > my $progname = basename($0); > > BEGIN { > + pop @INC if $INC[-1] eq '.'; > # Load the File::DesktopEntry module safely > eval { require File::DesktopEntry; }; > if ($@) { I'm curious why only this script was changed. From a quick search, it looks like there are at least a few more that should be changed, if I understand the problem properly. $ ag --perl '\{ require' scripts/desktop2menu.pl:68: eval { require File::DesktopEntry; }; scripts/dcontrol.pl:28: eval { require URI::Escape; }; scripts/dcontrol.pl:37: eval { require LWP::UserAgent; }; scripts/plotchangelog.pl:35: eval { require Date::Parse; import Date::Parse (); }; scripts/dscverify.pl:36: eval { require Digest::MD5; }; scripts/rmadison.pl:27: eval { require URI::Escape; }; scripts/uscan.pl:40: eval { require LWP::UserAgent; }; scripts/uscan.pl:59:eval { require LWP::Protocol::https; }; scripts/grep-excuses.pl:32: eval { require Term::Size; }; There are likely a few more not caught by this search, too. Cheers, -- James GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
signature.asc
Description: PGP signature