Avoid loading optional modules from default . (CVE-2016-1238)
This commit is contained in:
Jitka Plesnikova
parent
52e999e0b3
commit
0167350014
@ -0,0 +1,97 @@
|
|||||||
|
From 12be15d64ce089154c4367dc1842cd0dc0993ec6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tony Cook <tony@develop-help.com>
|
||||||
|
Date: Wed, 27 Jul 2016 14:52:40 +1000
|
||||||
|
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from .
|
||||||
|
|
||||||
|
The change to Encode.pm is the most critical part of this patch.
|
||||||
|
|
||||||
|
Without this change, and process that uses Encode started with a
|
||||||
|
current directory that's world writable (such as /tmp) and if there's
|
||||||
|
no global Encode::ConfigLocal, can be attacked by another user
|
||||||
|
by creating /tmp/Encode/ConfigLocal.pm
|
||||||
|
|
||||||
|
It's possible most of the tools changed here do not need to be updated,
|
||||||
|
but I chose a conservative path.
|
||||||
|
---
|
||||||
|
Encode.pm | 2 ++
|
||||||
|
bin/enc2xs | 1 +
|
||||||
|
bin/encguess | 1 +
|
||||||
|
bin/piconv | 1 +
|
||||||
|
bin/ucmlint | 1 +
|
||||||
|
bin/unidump | 1 +
|
||||||
|
6 files changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/Encode.pm b/Encode.pm
|
||||||
|
index d88fe95..3923733 100644
|
||||||
|
--- a/Encode.pm
|
||||||
|
+++ b/Encode.pm
|
||||||
|
@@ -56,6 +56,8 @@ require Encode::Config;
|
||||||
|
eval {
|
||||||
|
local $SIG{__DIE__};
|
||||||
|
local $SIG{__WARN__};
|
||||||
|
+ local @INC = @INC;
|
||||||
|
+ pop @INC if $INC[-1] eq '.';
|
||||||
|
require Encode::ConfigLocal;
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/enc2xs b/bin/enc2xs
|
||||||
|
index ec4732c..f8d9f52 100755
|
||||||
|
--- a/bin/enc2xs
|
||||||
|
+++ b/bin/enc2xs
|
||||||
|
@@ -4,6 +4,7 @@ BEGIN {
|
||||||
|
# with $ENV{PERL_CORE} set
|
||||||
|
# In case we need it in future...
|
||||||
|
require Config; import Config;
|
||||||
|
+ pop @INC if $INC[-1] eq '.';
|
||||||
|
}
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
diff --git a/bin/encguess b/bin/encguess
|
||||||
|
index 5d7ac80..0be5c7c 100755
|
||||||
|
--- a/bin/encguess
|
||||||
|
+++ b/bin/encguess
|
||||||
|
@@ -1,5 +1,6 @@
|
||||||
|
#!./perl
|
||||||
|
use 5.008001;
|
||||||
|
+BEGIN { pop @INC if $INC[-1] eq '.' }
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
use Encode;
|
||||||
|
diff --git a/bin/piconv b/bin/piconv
|
||||||
|
index c1dad9e..60b2a59 100755
|
||||||
|
--- a/bin/piconv
|
||||||
|
+++ b/bin/piconv
|
||||||
|
@@ -1,6 +1,7 @@
|
||||||
|
#!./perl
|
||||||
|
# $Id: piconv,v 2.7 2014/05/31 09:48:48 dankogai Exp $
|
||||||
|
#
|
||||||
|
+BEGIN { pop @INC if $INC[-1] eq '.' }
|
||||||
|
use 5.8.0;
|
||||||
|
use strict;
|
||||||
|
use Encode ;
|
||||||
|
diff --git a/bin/ucmlint b/bin/ucmlint
|
||||||
|
index 622376d..25e0d67 100644
|
||||||
|
--- a/bin/ucmlint
|
||||||
|
+++ b/bin/ucmlint
|
||||||
|
@@ -3,6 +3,7 @@
|
||||||
|
# $Id: ucmlint,v 2.2 2008/03/12 09:51:11 dankogai Exp $
|
||||||
|
#
|
||||||
|
|
||||||
|
+BEGIN { pop @INC if $INC[-1] eq '.' }
|
||||||
|
use strict;
|
||||||
|
our $VERSION = do { my @r = (q$Revision: 2.2 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r };
|
||||||
|
|
||||||
|
diff --git a/bin/unidump b/bin/unidump
|
||||||
|
index ae0da30..f190827 100755
|
||||||
|
--- a/bin/unidump
|
||||||
|
+++ b/bin/unidump
|
||||||
|
@@ -1,5 +1,6 @@
|
||||||
|
#!./perl
|
||||||
|
|
||||||
|
+BEGIN { pop @INC if $INC[-1] eq '.' }
|
||||||
|
use strict;
|
||||||
|
use Encode;
|
||||||
|
use Getopt::Std;
|
||||||
|
--
|
||||||
|
2.1.4
|
||||||
|
|
||||||
Loading…
Reference in New Issue
Block a user