diff --git a/ExtUtils-ParseXS-3.31-CVE-2016-1238-avoid-loading-optional-modules-from.patch b/ExtUtils-ParseXS-3.31-CVE-2016-1238-avoid-loading-optional-modules-from.patch new file mode 100644 index 0000000..1e75e40 --- /dev/null +++ b/ExtUtils-ParseXS-3.31-CVE-2016-1238-avoid-loading-optional-modules-from.patch @@ -0,0 +1,10 @@ +diff -up ExtUtils-ParseXS/lib/ExtUtils/xsubpp.cve ExtUtils-ParseXS/lib/ExtUtils/xsubpp +--- ExtUtils-ParseXS/lib/ExtUtils/xsubpp.cve 2016-02-05 16:26:05.000000000 +0100 ++++ ExtUtils-ParseXS/lib/ExtUtils/xsubpp 2016-08-02 13:39:39.791316159 +0200 +@@ -1,5 +1,6 @@ + #!perl + use 5.006; ++BEGIN { pop @INC if $INC[-1] eq '.' } + use strict; + eval { + require ExtUtils::ParseXS; diff --git a/perl-ExtUtils-ParseXS.spec b/perl-ExtUtils-ParseXS.spec index 5a05ec9..f04b6ee 100644 --- a/perl-ExtUtils-ParseXS.spec +++ b/perl-ExtUtils-ParseXS.spec @@ -3,7 +3,7 @@ Name: perl-ExtUtils-ParseXS # Epoch to compete with perl.spec Epoch: 1 Version: 3.31 -Release: 365%{?dist} +Release: 366%{?dist} Summary: Module and a script for converting Perl XS code into C code License: GPL+ or Artistic Group: Development/Libraries @@ -11,6 +11,8 @@ URL: http://search.cpan.org/dist/ExtUtils-ParseXS/ Source0: http://www.cpan.org/authors/id/S/SM/SMUELLER/ExtUtils-ParseXS-%{base_version}.tar.gz # Unbundled from perl 5.24.0 Patch0: ExtUtils-ParseXS-3.30-Upgrade-to-3.31.patch +# Avoid loading optional modules from default . (CVE-2016-1238) +Patch1: ExtUtils-ParseXS-3.31-CVE-2016-1238-avoid-loading-optional-modules-from.patch BuildArch: noarch BuildRequires: coreutils BuildRequires: findutils @@ -56,6 +58,7 @@ the glue necessary to let Perl access those functions. %prep %setup -q -n ExtUtils-ParseXS-%{base_version} %patch0 -p1 +%patch1 -p1 %build perl Makefile.PL INSTALLDIRS=vendor @@ -80,6 +83,9 @@ make test %{_mandir}/man3/* %changelog +* Wed Aug 03 2016 Jitka Plesnikova - 1:3.31-366 +- Avoid loading optional modules from default . (CVE-2016-1238) + * Sat May 14 2016 Jitka Plesnikova - 1:3.31-365 - Increase release to favour standalone package