This is an automated email from the git hooks/post-receive script. carnil pushed a commit to branch master in repository libmime-charset-perl.
commit e1f8204626bb0002cab290b7953db1e236ca0bdf Author: Dominic Hargreaves <d...@earth.li> Date: Sun Jul 24 20:08:14 2016 +0100 Remove . from @INC when loading modules dynamically [CVE-2016-1238] --- debian/changelog | 3 +++ debian/patches/CVE-2016-1238.patch | 26 ++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 30 insertions(+) diff --git a/debian/changelog b/debian/changelog index c441009..3b30bba 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,9 @@ libmime-charset-perl (1.012-2) UNRELEASED; urgency=medium [ gregor herrmann ] * debian/copyright: change Copyright-Format 1.0 URL to HTTPS. + [ Salvatore Bonaccorso ] + * Remove . from @INC when loading modules dynamically [CVE-2016-1238] + -- Salvatore Bonaccorso <car...@debian.org> Sat, 30 Jan 2016 20:05:22 +0100 libmime-charset-perl (1.012-1) unstable; urgency=medium diff --git a/debian/patches/CVE-2016-1238.patch b/debian/patches/CVE-2016-1238.patch new file mode 100644 index 0000000..3cfa68b --- /dev/null +++ b/debian/patches/CVE-2016-1238.patch @@ -0,0 +1,26 @@ +From 327106167f69bd629988f0926e5a3a56574ff40a Mon Sep 17 00:00:00 2001 +From: Dominic Hargreaves <d...@earth.li> +Date: Sun, 24 Jul 2016 20:06:29 +0100 +Subject: [PATCH] Remove . from @INC when loading modules dynamically + [CVE-2016-1238] + +--- + lib/MIME/Charset.pm | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/MIME/Charset.pm b/lib/MIME/Charset.pm +index 844bce6..948c2e3 100644 +--- a/lib/MIME/Charset.pm ++++ b/lib/MIME/Charset.pm +@@ -345,6 +345,8 @@ $Config = { + Mapping => 'EXTENDED', + Replacement => 'DEFAULT', + }; ++local @INC = @INC; ++pop @INC if $INC[-1] eq '.'; + eval { require MIME::Charset::Defaults; }; + + ######## Private Constants ######## +-- +2.1.4 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..34520df --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2016-1238.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmime-charset-perl.git _______________________________________________ Pkg-perl-cvs-commits mailing list Pkg-perl-cvs-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-perl-cvs-commits