Avoid loading optional modules from default . (CVE-2016-1238)

2016-08-02 15:29:13 +02:00 · 2016-08-02 15:29:13 +02:00 · fe10e5ea3e
commit fe10e5ea3e
parent 6973f779f1
2 changed files with 55 additions and 1 deletions
--- a/File-Fetch-0.48-CVE-2016-1238-avoid-loading-optional-modules-from.patch
+++ b/File-Fetch-0.48-CVE-2016-1238-avoid-loading-optional-modules-from.patch
@ -0,0 +1,48 @@
+diff -up File-Fetch/lib/File/Fetch.pm.cve perl-5.24.0/cpan/File-Fetch/lib/File/Fetch.pm
+--- File-Fetch/lib/File/Fetch.pm.cve	2016-02-05 16:26:05.000000000 +0100
+++ File-Fetch/lib/File/Fetch.pm	2016-08-02 13:39:39.819316039 +0200
+@@ -567,6 +567,8 @@ sub _lwp_fetch {
+ 
+     };
+ 
+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
+     unless( can_load( modules => $use_list ) ) {
+         $METHOD_FAIL->{'lwp'} = 1;
+         return;
+@@ -619,6 +621,8 @@ sub _httptiny_fetch {
+ 
+     };
+ 
+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
+     unless( can_load(modules => $use_list) ) {
+         $METHOD_FAIL->{'httptiny'} = 1;
+         return;
+@@ -658,6 +662,8 @@ sub _httplite_fetch {
+ 
+     };
+ 
+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
+     unless( can_load(modules => $use_list) ) {
+         $METHOD_FAIL->{'httplite'} = 1;
+         return;
+@@ -733,6 +739,8 @@ sub _iosock_fetch {
+         'IO::Select'       => '0.0',
+     };
+ 
+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
+     unless( can_load(modules => $use_list) ) {
+         $METHOD_FAIL->{'iosock'} = 1;
+         return;
+@@ -814,6 +822,8 @@ sub _netftp_fetch {
+     check( $tmpl, \%hash ) or return;
+ 
+     ### required modules ###
+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
+     my $use_list = { 'Net::FTP' => 0 };
+ 
+     unless( can_load( modules => $use_list ) ) {
--- a/perl-File-Fetch.spec
+++ b/perl-File-Fetch.spec
@ -1,11 +1,13 @@
 Name:           perl-File-Fetch
 Version:        0.48
-Release:        365%{?dist}
+Release:        366%{?dist}
 Summary:        Generic file fetching mechanism
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/File-Fetch/
 Source0:        http://www.cpan.org/authors/id/B/BI/BINGOS/File-Fetch-%{version}.tar.gz
+# Avoid loading optional modules from default . (CVE-2016-1238)
+Patch0:         File-Fetch-0.48-CVE-2016-1238-avoid-loading-optional-modules-from.patch
 BuildArch:      noarch
 BuildRequires:  perl
 BuildRequires:  perl-generators
@ -50,6 +52,7 @@ File::Fetch allows you to fetch any file pointed to by a "ftp", "http",

 %prep
 %setup -q -n File-Fetch-%{version}
+%patch0 -p1

 %build
 perl Makefile.PL INSTALLDIRS=vendor
@ -69,6 +72,9 @@ make test
 %{_mandir}/man3/*

 %changelog
+* Tue Aug 02 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.48-366
+- Avoid loading optional modules from default . (CVE-2016-1238)
+
 * Sat May 14 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.48-365
 - Increase release to favour standalone package