Avoid loading optional modules from default . (CVE-2016-1238)

2016-08-02 17:13:27 +02:00 · 2016-08-02 17:13:27 +02:00 · d819dcc82b
commit d819dcc82b
parent 77a82db831
2 changed files with 65 additions and 1 deletions
--- a/JSON-PP-2.27400-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch
+++ b/JSON-PP-2.27400-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch
@ -0,0 +1,59 @@
+From 869cca1a100a1081676f17a3af95457fc3f146cb Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Thu, 28 Jul 2016 11:16:43 +1000
+Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
+
+JSON::PP treats Scalar::Util as optional and may load Encode, which
+treats Encode::ConfigLocal as optional.
+
+With the default . in @INC, and if Encode::ConfigLocal is not in
+the default locations, an attacker can create for example
+/tmp/Encode/ConfigLocal.pm, and if a process using JSON::PP is started
+from /tmp, perl will run the attacker's code.
+
+The change to json_pp is purely precautionary.
+
+The changes to JSON:PP were not included in the recent security patches
+since Scalar::Util is always available, and Encode was patched to
+prevent the problem there.
+---
+ bin/json_pp    | 1 +
+ lib/JSON/PP.pm | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/bin/json_pp b/bin/json_pp
+index 3362dec..39bed4d 100644
+--- a/bin/json_pp
+++ b/bin/json_pp
+@@ -1,5 +1,6 @@
+ #!/usr/bin/perl
+ 
+BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use Getopt::Long;
+ 
+diff --git a/lib/JSON/PP.pm b/lib/JSON/PP.pm
+index 2d27e78..555f6fc 100644
+--- a/lib/JSON/PP.pm
+++ b/lib/JSON/PP.pm
+@@ -1271,6 +1271,8 @@ sub _decode_unicode {
+ BEGIN {
+ 
+     unless ( defined &utf8::is_utf8 ) {
+       local @INC = @INC;
+       pop @INC if $INC[-1] eq '.';
+        require Encode;
+        *utf8::is_utf8 = *Encode::is_utf8;
+     }
+@@ -1332,6 +1334,8 @@ BEGIN {
+ #
+ 
+ BEGIN {
+    local @INC = @INC;
+    pop @INC if $INC[-1] eq '.';
+     eval 'require Scalar::Util';
+     unless($@){
+         *JSON::PP::blessed = \&Scalar::Util::blessed;
+-- 
+2.1.4
+
--- a/perl-JSON-PP.spec
+++ b/perl-JSON-PP.spec
@ -1,11 +1,13 @@
 Name:		perl-JSON-PP
 Version:	2.27400
-Release:	3%{?dist}
+Release:	4%{?dist}
 Summary:	JSON::XS compatible pure-Perl module
 License:	GPL+ or Artistic
 Group:		Development/Libraries
 URL:		http://search.cpan.org/dist/JSON-PP/
 Source0:	http://search.cpan.org/CPAN/authors/id/M/MA/MAKAMAKA/JSON-PP-%{version}.tar.gz
+# Avoid loading optional modules from default . (CVE-2016-1238)
+Patch0:		JSON-PP-2.27400-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
 BuildArch:	noarch
 # Module Build
@ -88,6 +90,9 @@ rm -rf %{buildroot}
 %{_mandir}/man3/JSON::PP::Boolean.3*

 %changelog
+* Tue Aug 02 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.27400-4
+- Avoid loading optional modules from default . (CVE-2016-1238)
+
 * Wed May 18 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.27400-3
 - Perl 5.24 re-rebuild of bootstrapped packages