Avoid loading optional modules from default . (CVE-2016-1238)

2016-08-02 16:11:46 +02:00 · 2016-08-02 16:11:46 +02:00 · 39c5f847a1
commit 39c5f847a1
parent 54d9fed26f
2 changed files with 47 additions and 1 deletions
--- a/HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch
+++ b/HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch
@ -0,0 +1,39 @@
+From b239c95ea7a256cfee9b8848f1bd4d1df6e66444 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Wed, 27 Jul 2016 16:06:32 +1000
+Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
+
+The final . perl adds to @INC can be used by an attacker to fake
+an optional module in a world writable directory for a process
+using HTTP::Tiny when run from that directory.
+
+Remove the default . from the end of @INC when loading optional
+modules.
+
+Closes #90
+---
+ lib/HTTP/Tiny.pm | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm
+index f8059b7..ea6db53 100644
+--- a/lib/HTTP/Tiny.pm
+++ b/lib/HTTP/Tiny.pm
+@@ -504,6 +504,8 @@ sub can_ssl {
+     my($ok, $reason) = (1, '');
+ 
+     # Need IO::Socket::SSL 1.42 for SSL_create_ctx_callback
+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
+     unless (eval {require IO::Socket::SSL; IO::Socket::SSL->VERSION(1.42)}) {
+         $ok = 0;
+         $reason .= qq/IO::Socket::SSL 1.42 must be installed for https support\n/;
+@@ -1568,6 +1570,8 @@ sub _find_CA_file {
+         return $ca_file;
+     }
+ 
+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
+     return Mozilla::CA::SSL_ca_file()
+         if eval { require Mozilla::CA; 1 };
+ 
--- a/perl-HTTP-Tiny.spec
+++ b/perl-HTTP-Tiny.spec
@ -1,6 +1,6 @@
 Name:           perl-HTTP-Tiny
 Version:        0.058
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Small, simple, correct HTTP/1.1 client
 License:        GPL+ or Artistic
 Group:          Development/Libraries
@ -9,6 +9,9 @@ Source0:        http://www.cpan.org/authors/id/D/DA/DAGOLDEN/HTTP-Tiny-%{version
 # Check for write failure, bug #1031096, refused by upstream,
 # <https://github.com/chansen/p5-http-tiny/issues/32>
 Patch0:         HTTP-Tiny-0.058-Croak-on-failed-write-into-a-file.patch
+# Avoid loading optional modules from default . (CVE-2016-1238)
+# in upstream after 0.059
+Patch1:         HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch
 BuildArch:      noarch
 BuildRequires:  findutils
 BuildRequires:  make
@ -65,6 +68,7 @@ resumes after EINTR.
 %prep
 %setup -q -n HTTP-Tiny-%{version}
 %patch0 -p1
+%patch1 -p1

 %build
 perl Makefile.PL INSTALLDIRS=vendor
@ -85,6 +89,9 @@ make test
 %{_mandir}/man3/*

 %changelog
+* Tue Aug 02 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.058-3
+- Avoid loading optional modules from default . (CVE-2016-1238)
+
 * Sat May 14 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.058-2
 - Perl 5.24 rebuild