Avoid loading optional modules from default . (CVE-2016-1238)
This commit is contained in:
Jitka Plesnikova
parent
54d9fed26f
commit
39c5f847a1
@ -0,0 +1,39 @@
|
|||||||
|
From b239c95ea7a256cfee9b8848f1bd4d1df6e66444 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tony Cook <tony@develop-help.com>
|
||||||
|
Date: Wed, 27 Jul 2016 16:06:32 +1000
|
||||||
|
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
|
||||||
|
|
||||||
|
The final . perl adds to @INC can be used by an attacker to fake
|
||||||
|
an optional module in a world writable directory for a process
|
||||||
|
using HTTP::Tiny when run from that directory.
|
||||||
|
|
||||||
|
Remove the default . from the end of @INC when loading optional
|
||||||
|
modules.
|
||||||
|
|
||||||
|
Closes #90
|
||||||
|
---
|
||||||
|
lib/HTTP/Tiny.pm | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm
|
||||||
|
index f8059b7..ea6db53 100644
|
||||||
|
--- a/lib/HTTP/Tiny.pm
|
||||||
|
+++ b/lib/HTTP/Tiny.pm
|
||||||
|
@@ -504,6 +504,8 @@ sub can_ssl {
|
||||||
|
my($ok, $reason) = (1, '');
|
||||||
|
|
||||||
|
# Need IO::Socket::SSL 1.42 for SSL_create_ctx_callback
|
||||||
|
+ local @INC = @INC;
|
||||||
|
+ pop @INC if $INC[-1] eq '.';
|
||||||
|
unless (eval {require IO::Socket::SSL; IO::Socket::SSL->VERSION(1.42)}) {
|
||||||
|
$ok = 0;
|
||||||
|
$reason .= qq/IO::Socket::SSL 1.42 must be installed for https support\n/;
|
||||||
|
@@ -1568,6 +1570,8 @@ sub _find_CA_file {
|
||||||
|
return $ca_file;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ local @INC = @INC;
|
||||||
|
+ pop @INC if $INC[-1] eq '.';
|
||||||
|
return Mozilla::CA::SSL_ca_file()
|
||||||
|
if eval { require Mozilla::CA; 1 };
|
||||||
|
|
||||||
@ -1,6 +1,6 @@
|
|||||||
Name: perl-HTTP-Tiny
|
Name: perl-HTTP-Tiny
|
||||||
Version: 0.058
|
Version: 0.058
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: Small, simple, correct HTTP/1.1 client
|
Summary: Small, simple, correct HTTP/1.1 client
|
||||||
License: GPL+ or Artistic
|
License: GPL+ or Artistic
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
@ -9,6 +9,9 @@ Source0: http://www.cpan.org/authors/id/D/DA/DAGOLDEN/HTTP-Tiny-%{version
|
|||||||
# Check for write failure, bug #1031096, refused by upstream,
|
# Check for write failure, bug #1031096, refused by upstream,
|
||||||
# <https://github.com/chansen/p5-http-tiny/issues/32>
|
# <https://github.com/chansen/p5-http-tiny/issues/32>
|
||||||
Patch0: HTTP-Tiny-0.058-Croak-on-failed-write-into-a-file.patch
|
Patch0: HTTP-Tiny-0.058-Croak-on-failed-write-into-a-file.patch
|
||||||
|
# Avoid loading optional modules from default . (CVE-2016-1238)
|
||||||
|
# in upstream after 0.059
|
||||||
|
Patch1: HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
BuildRequires: findutils
|
BuildRequires: findutils
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
@ -65,6 +68,7 @@ resumes after EINTR.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q -n HTTP-Tiny-%{version}
|
%setup -q -n HTTP-Tiny-%{version}
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
|
%patch1 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
perl Makefile.PL INSTALLDIRS=vendor
|
perl Makefile.PL INSTALLDIRS=vendor
|
||||||
@ -85,6 +89,9 @@ make test
|
|||||||
%{_mandir}/man3/*
|
%{_mandir}/man3/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 02 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.058-3
|
||||||
|
- Avoid loading optional modules from default . (CVE-2016-1238)
|
||||||
|
|
||||||
* Sat May 14 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.058-2
|
* Sat May 14 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.058-2
|
||||||
- Perl 5.24 rebuild
|
- Perl 5.24 rebuild
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user