ppisar pushed to perl-CPAN (master). "Fix CVE-2016-1238 (loading optional modules from current working directory)"

Wed, 12 Oct 2016 06:55:01 -0700 

From 8dadce4f20cd3f991540c0dbf97ca49d685ce303 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
Date: Wed, 12 Oct 2016 15:02:54 +0200
Subject: Fix CVE-2016-1238 (loading optional modules from current working
 directory)

---
 ...38-don-t-load-optional-modules-from-defau.patch | 82 ++++++++++++++++++++++
 perl-CPAN.spec                                     |  5 ++
 2 files changed, 87 insertions(+)
 create mode 100644 
CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch

diff --git 
a/CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch 
b/CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch
new file mode 100644
index 0000000..2991056
--- /dev/null
+++ b/CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch
@@ -0,0 +1,82 @@
+From 394ac06dc5e9e94a81c39c43135d1635f516422e Mon Sep 17 00:00:00 2001
+From: Tony Cook <t...@develop-help.com>
+Date: Wed, 27 Jul 2016 12:14:13 +1000
+Subject: [PATCH] CVE-2016-1238: don't load optional modules from default .
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+App::Cpan attempts to load several optional modules, which an attacker
+can use if cpan is run from a directory writable by other users, such
+as /tmp.
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ lib/App/Cpan.pm | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
+index f43dea9..c654c2c 100644
+--- a/lib/App/Cpan.pm
++++ b/lib/App/Cpan.pm
+@@ -549,9 +549,20 @@ sub AUTOLOAD { 1 }
+ sub DESTROY { 1 }
+ }
+ 
++# load a module without searching the default entry for the current
++# directory
++sub _safe_load_module {
++    my $name = shift;
++
++    local @INC = @INC;
++    pop @INC if $INC[-1] eq '.';
++
++    eval "require $name; 1";
++}
++
+ sub _init_logger
+       {
+-      my $log4perl_loaded = eval "require Log::Log4perl; 1";
++      my $log4perl_loaded = _safe_load_module("Log::Log4perl");
+ 
+     unless( $log4perl_loaded )
+         {
+@@ -1020,7 +1031,7 @@ sub _load_local_lib # -I
+       {
+       $logger->debug( "Loading local::lib" );
+ 
+-      my $rc = eval { require local::lib; 1; };
++      my $rc = _safe_load_module("local::lib");
+       unless( $rc ) {
+               $logger->die( "Could not load local::lib" );
+               }
+@@ -1160,7 +1171,7 @@ sub _get_file
+       {
+       my $path = shift;
+ 
+-      my $loaded = eval "require LWP::Simple; 1;";
++      my $loaded = _safe_load_module("LWP::Simple");
+       croak "You need LWP::Simple to use features that fetch files from 
CPAN\n"
+               unless $loaded;
+ 
+@@ -1182,7 +1193,7 @@ sub _gitify
+       {
+       my $args = shift;
+ 
+-      my $loaded = eval "require Archive::Extract; 1;";
++      my $loaded = _safe_load_module("Archive::Extract");
+       croak "You need Archive::Extract to use features that gitify 
distributions\n"
+               unless $loaded;
+ 
+@@ -1245,7 +1256,7 @@ sub _show_Changes
+ sub _get_changes_file
+       {
+       croak "Reading Changes files requires LWP::Simple and URI\n"
+-              unless eval "require LWP::Simple; require URI; 1";
++              unless _safe_load_module("LWP::Simple") && 
_safe_load_module("URI");
+ 
+     my $url = shift;
+ 
+-- 
+2.7.4
+
diff --git a/perl-CPAN.spec b/perl-CPAN.spec
index b37666b..42ea501 100644
--- a/perl-CPAN.spec
+++ b/perl-CPAN.spec
@@ -19,6 +19,9 @@ Patch3:         CPAN-2.14-Emergency-fix-for-cpan-o.patch
 Patch4:         
CPAN-2.14-Prevent-trying-Net-FTP-when-an-ftp_proxy-variable-is.patch
 # Recognize URL schemata disregarding the case, fixed after 2.14
 Patch5:         
CPAN-2.14-URL-schemes-are-case-tolerant-so-the-regexp-should-h.patch
+# Fix CVE-2016-1238 (loading optional modules from current working directory),
+# CPAN RT#116507, fixed after 2.14
+Patch6:         
CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch
 BuildArch:      noarch
 BuildRequires:  coreutils
 BuildRequires:  findutils
@@ -200,6 +203,7 @@ external download clients to fetch distributions from the 
net.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 # Change configuration name
 find -type f -exec sed -i -e 's/XCPANCONFIGNAMEX/cpan/g' {} \;
 # Remove bundled modules
@@ -233,6 +237,7 @@ make test
 - Do not use Net::FTP if ftp_proxy variable points to an HTTP server
   (CPAN RT#110833)
 - Recognize URL schemata disregarding the case
+- Fix CVE-2016-1238 (loading optional modules from current working directory)
 
 * Wed May 18 2016 Jitka Plesnikova <jples...@redhat.com> - 2.11-366
 - Perl 5.24 re-rebuild of bootstrapped packages
-- 
cgit v0.12


        
http://pkgs.fedoraproject.org/cgit/perl-CPAN.git/commit/?h=master&id=8dadce4f20cd3f991540c0dbf97ca49d685ce303
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org

Reply via email to