60 lines
1.6 KiB
Diff
60 lines
1.6 KiB
Diff
From 869cca1a100a1081676f17a3af95457fc3f146cb Mon Sep 17 00:00:00 2001
|
|
From: Tony Cook <tony@develop-help.com>
|
|
Date: Thu, 28 Jul 2016 11:16:43 +1000
|
|
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
|
|
|
|
JSON::PP treats Scalar::Util as optional and may load Encode, which
|
|
treats Encode::ConfigLocal as optional.
|
|
|
|
With the default . in @INC, and if Encode::ConfigLocal is not in
|
|
the default locations, an attacker can create for example
|
|
/tmp/Encode/ConfigLocal.pm, and if a process using JSON::PP is started
|
|
from /tmp, perl will run the attacker's code.
|
|
|
|
The change to json_pp is purely precautionary.
|
|
|
|
The changes to JSON:PP were not included in the recent security patches
|
|
since Scalar::Util is always available, and Encode was patched to
|
|
prevent the problem there.
|
|
---
|
|
bin/json_pp | 1 +
|
|
lib/JSON/PP.pm | 4 ++++
|
|
2 files changed, 5 insertions(+)
|
|
|
|
diff --git a/bin/json_pp b/bin/json_pp
|
|
index 3362dec..39bed4d 100644
|
|
--- a/bin/json_pp
|
|
+++ b/bin/json_pp
|
|
@@ -1,5 +1,6 @@
|
|
#!/usr/bin/perl
|
|
|
|
+BEGIN { pop @INC if $INC[-1] eq '.' }
|
|
use strict;
|
|
use Getopt::Long;
|
|
|
|
diff --git a/lib/JSON/PP.pm b/lib/JSON/PP.pm
|
|
index 2d27e78..555f6fc 100644
|
|
--- a/lib/JSON/PP.pm
|
|
+++ b/lib/JSON/PP.pm
|
|
@@ -1271,6 +1271,8 @@ sub _decode_unicode {
|
|
BEGIN {
|
|
|
|
unless ( defined &utf8::is_utf8 ) {
|
|
+ local @INC = @INC;
|
|
+ pop @INC if $INC[-1] eq '.';
|
|
require Encode;
|
|
*utf8::is_utf8 = *Encode::is_utf8;
|
|
}
|
|
@@ -1332,6 +1334,8 @@ BEGIN {
|
|
#
|
|
|
|
BEGIN {
|
|
+ local @INC = @INC;
|
|
+ pop @INC if $INC[-1] eq '.';
|
|
eval 'require Scalar::Util';
|
|
unless($@){
|
|
*JSON::PP::blessed = \&Scalar::Util::blessed;
|
|
--
|
|
2.1.4
|
|
|