From 97b5c3fc0887d9dd8eaf76c105b376ee20f54caa Mon Sep 17 00:00:00 2001 From: Jitka Plesnikova <[email protected]> Date: Mon, 1 Aug 2016 15:53:05 +0200 Subject: Avoid loading Net::LocalCfg from default . (CVE-2016-1238)
--- ...38-avoid-loading-Net-LocalCfg-from-defaul.patch | 40 ++++++++++++++++++++++ perl-libnet.spec | 9 ++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 libnet-3.08-CVE-2016-1238-avoid-loading-Net-LocalCfg-from-defaul.patch diff --git a/libnet-3.08-CVE-2016-1238-avoid-loading-Net-LocalCfg-from-defaul.patch b/libnet-3.08-CVE-2016-1238-avoid-loading-Net-LocalCfg-from-defaul.patch new file mode 100644 index 0000000..1f360c9 --- /dev/null +++ b/libnet-3.08-CVE-2016-1238-avoid-loading-Net-LocalCfg-from-defaul.patch @@ -0,0 +1,40 @@ +From 0d6c5b25583e098b7b85ff89a9a74f8e7d80ba55 Mon Sep 17 00:00:00 2001 +From: Tony Cook <[email protected]> +Date: Thu, 28 Jul 2016 11:25:58 +1000 +Subject: [PATCH] CVE-2016-1238: avoid loading Net::LocalCfg from default . + +Net::Cfg treats Net::LocalCfg as an optional load, if a site does not +have Net::LocalCfg in the standard places perl will attempt to load +it from the . entry in @INC. + +If the current directory happens to be world writable (like /tmp) an +attacker can create Net/LocalCfg.pm to run code as any user that +runs code that loads Net::Cfg in that directory. + +This patch temporarily removes the default . entry from @INC when +loading Net::LocalCfg to prevent that. +--- + lib/Net/Config.pm | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/Net/Config.pm b/lib/Net/Config.pm +index 0fb8713..a593538 100644 +--- a/lib/Net/Config.pm ++++ b/lib/Net/Config.pm +@@ -24,7 +24,12 @@ our $VERSION = "3.10"; + + our($CONFIGURE, $LIBNET_CFG); + +-eval { local $SIG{__DIE__}; require Net::LocalCfg }; ++eval { ++ local @INC = @INC; ++ pop @INC if $INC[-1] eq '.'; ++ local $SIG{__DIE__}; ++ require Net::LocalCfg; ++}; + + our %NetConfig = ( + nntp_hosts => [], +-- +2.5.5 + diff --git a/perl-libnet.spec b/perl-libnet.spec index 3a9e15c..2ee080a 100644 --- a/perl-libnet.spec +++ b/perl-libnet.spec @@ -1,6 +1,6 @@ Name: perl-libnet Version: 3.08 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Perl clients for various network protocols License: GPL+ or Artistic Group: Development/Libraries @@ -10,6 +10,9 @@ Source0: http://www.cpan.org/authors/id/S/SH/SHAY/libnet-%{version}.tar.g Patch0: libnet-3.08-Normalize-Changes-encoding.patch # Do not create Net/libnet.cfg, bug #1238689 Patch1: libnet-3.08-Do-not-create-Net-libnet.cfg.patch +# Avoid loading Net::LocalCfg from default ., CVE-2016-1238, +# in upstream 3.10 +Patch2: libnet-3.08-CVE-2016-1238-avoid-loading-Net-LocalCfg-from-defaul.patch BuildArch: noarch BuildRequires: coreutils BuildRequires: findutils @@ -83,6 +86,7 @@ protocols used in the internet community. %setup -q -n libnet-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build perl Makefile.PL INSTALLDIRS=vendor </dev/null @@ -103,6 +107,9 @@ make test %{_mandir}/man3/* %changelog +* Mon Aug 01 2016 Jitka Plesnikova <[email protected]> - 3.08-2 +- Avoid loading Net::LocalCfg from default . (CVE-2016-1238) + * Wed Jan 06 2016 Petr Pisar <[email protected]> - 3.08-1 - 8.08 bump -- cgit v0.12 http://pkgs.fedoraproject.org/cgit/perl-libnet.git/commit/?h=f23&id=97b5c3fc0887d9dd8eaf76c105b376ee20f54caa -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list [email protected] https://lists.fedoraproject.org/admin/lists/[email protected]
