From 40ba99b8269b0fa829fea16a4df58ad4acb77f6e Mon Sep 17 00:00:00 2001
From: Jitka Plesnikova <jples...@redhat.com>
Date: Wed, 3 Aug 2016 13:12:07 +0200
Subject: Avoid loading optional modules from default . (CVE-2016-1238)
---
...2016-1238-avoid-loading-optional-modules-from.patch | 18 ++++++++++++++++++
perl-Storable.spec | 8 +++++++-
2 files changed, 25 insertions(+), 1 deletion(-)
create mode 100644
Storable-2.53-CVE-2016-1238-avoid-loading-optional-modules-from.patch
diff --git
a/Storable-2.53-CVE-2016-1238-avoid-loading-optional-modules-from.patch
b/Storable-2.53-CVE-2016-1238-avoid-loading-optional-modules-from.patch
new file mode 100644
index 0000000..a59cc89
--- /dev/null
+++ b/Storable-2.53-CVE-2016-1238-avoid-loading-optional-modules-from.patch
@@ -0,0 +1,18 @@
+diff -up Storable/Storable.pm.cve Storable/Storable.pm
+--- Storable/Storable.pm.cve 2016-03-19 19:50:47.000000000 +0100
++++ Storable/Storable.pm 2016-08-03 12:48:36.415082280 +0200
+@@ -25,7 +25,13 @@ use vars qw($canonical $forgive_me $VERS
+ $VERSION = '2.53';
+
+ BEGIN {
+- if (eval { local $SIG{__DIE__}; require Log::Agent; 1 }) {
++ if (eval {
++ local $SIG{__DIE__};
++ local @INC = @INC;
++ pop @INC if $INC[-1] eq '.';
++ require Log::Agent;
++ 1;
++ }) {
+ Log::Agent->import;
+ }
+ #
diff --git a/perl-Storable.spec b/perl-Storable.spec
index 4dc1a7e..c53995e 100644
--- a/perl-Storable.spec
+++ b/perl-Storable.spec
@@ -3,7 +3,7 @@
Name: perl-Storable
Epoch: 1
Version: 2.53
-Release: 346%{?dist}
+Release: 347%{?dist}
Summary: Persistence for Perl data structures
License: GPL+ or Artistic
Group: Development/Libraries
@@ -11,6 +11,8 @@ URL: http://search.cpan.org/dist/Storable/
Source0:
http://www.cpan.org/authors/id/A/AM/AMS/Storable-%{base_version}.tar.gz
# Unbundled form perl 5.21.11
Patch0: Storable-2.51-Upgrade-to-2.53.patch
+# Avoid loading optional modules from default . (CVE-2016-1238)
+Patch1:
Storable-2.53-CVE-2016-1238-avoid-loading-optional-modules-from.patch
BuildRequires: perl
BuildRequires: perl(Config)
BuildRequires: perl(ExtUtils::MakeMaker)
@@ -61,6 +63,7 @@ can be conveniently stored to disk and retrieved at a later
time.
%prep
%setup -q -n Storable-%{base_version}
%patch0 -p1
+%patch1 -p1
# Remove bundled modules
rm -rf t/compat
sed -i -e '/^t\/compat\//d' MANIFEST
@@ -87,6 +90,9 @@ make test
%{_mandir}/man3/*
%changelog
+* Wed Aug 03 2016 Jitka Plesnikova <jples...@redhat.com> - 1:2.53-347
+- Avoid loading optional modules from default . (CVE-2016-1238)
+
* Thu Jun 18 2015 Fedora Release Engineering <rel-...@lists.fedoraproject.org>
- 1:2.53-346
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
--
cgit v0.12
http://pkgs.fedoraproject.org/cgit/perl-Storable.git/commit/?h=f23&id=40ba99b8269b0fa829fea16a4df58ad4acb77f6e
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/perl-devel@lists.fedoraproject.org
