This is an automated email from the git hooks/post-receive script. dom pushed a commit to branch jessie-security in repository libsys-syslog-perl.
commit 9670c61962bd722ceb8bf8db78f4d62896db74e6 Author: Dominic Hargreaves <d...@earth.li> Date: Sun Jul 24 19:41:40 2016 +0100 Remove . from @INC when loading modules dynamically [CVE-2016-1238] --- debian/changelog | 7 +++++++ debian/patches/CVE-2016-1238.patch | 26 ++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 34 insertions(+) diff --git a/debian/changelog b/debian/changelog index 14647e4..76c4bff 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libsys-syslog-perl (0.33-1+deb8u1) UNRELEASED; urgency=medium + + * Team upload. + * Remove . from @INC when loading modules dynamically [CVE-2016-1238] + + -- Dominic Hargreaves <d...@earth.li> Sun, 24 Jul 2016 19:41:02 +0100 + libsys-syslog-perl (0.33-1) unstable; urgency=low [ Ansgar Burchardt ] diff --git a/debian/patches/CVE-2016-1238.patch b/debian/patches/CVE-2016-1238.patch new file mode 100644 index 0000000..99b3238 --- /dev/null +++ b/debian/patches/CVE-2016-1238.patch @@ -0,0 +1,26 @@ +From 64cdffee5a52d4b73a707584d4aac3df9b119a5c Mon Sep 17 00:00:00 2001 +From: Dominic Hargreaves <d...@earth.li> +Date: Sun, 24 Jul 2016 19:43:50 +0100 +Subject: [PATCH] Remove . from @INC when loading modules dynamically + [CVE-2016-1238] + +--- + Syslog.pm | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Syslog.pm b/Syslog.pm +index 25164af..eed224a 100644 +--- a/Syslog.pm ++++ b/Syslog.pm +@@ -888,6 +888,8 @@ sub silent_eval (&) { + sub can_load { + my ($module, $verbose) = @_; + local($SIG{__DIE__}, $SIG{__WARN__}, $@); ++ local @INC = @INC; ++ pop @INC if $INC[-1] eq '.'; + my $loaded = eval "use $module; 1"; + warn $@ if not $loaded and $verbose; + return $loaded +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..34520df --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2016-1238.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/attic/libsys-syslog-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits