diff --git a/PathTools-3.63-CVE-2016-1238-avoid-loading-optional-modules-from.patch b/PathTools-3.63-CVE-2016-1238-avoid-loading-optional-modules-from.patch new file mode 100644 index 0000000..98d1075 --- /dev/null +++ b/PathTools-3.63-CVE-2016-1238-avoid-loading-optional-modules-from.patch @@ -0,0 +1,62 @@ +diff -up PathTools/Cwd.pm.cve PathTools/Cwd.pm +--- PathTools/Cwd.pm.cve 2016-03-01 13:33:02.000000000 +0100 ++++ PathTools/Cwd.pm 2016-08-02 13:39:39.814316060 +0200 +@@ -40,7 +40,10 @@ if ($^O eq 'os2') { + my $use_vms_feature; + BEGIN { + if ($^O eq 'VMS') { +- if (eval { local $SIG{__DIE__}; require VMS::Feature; }) { ++ if (eval { local $SIG{__DIE__}; ++ local @INC = @INC; ++ pop @INC if $INC[-1] eq '.'; ++ require VMS::Feature; }) { + $use_vms_feature = 1; + } + } +diff -up PathTools/lib/File/Spec/Cygwin.pm.cve PathTools/lib/File/Spec/Cygwin.pm +--- PathTools/lib/File/Spec/Cygwin.pm.cve 2016-03-01 13:33:02.000000000 +0100 ++++ PathTools/lib/File/Spec/Cygwin.pm 2016-08-02 13:39:39.814316060 +0200 +@@ -137,7 +137,11 @@ sub case_tolerant { + if ($mntopts and ($mntopts =~ /,managed/)) { + return 0; + } +- eval { require Win32API::File; } or return 1; ++ eval { ++ local @INC = @INC; ++ pop @INC if $INC[-1] eq '.'; ++ require Win32API::File; ++ } or return 1; + my $osFsType = "\0"x256; + my $osVolName = "\0"x256; + my $ouFsFlags = 0; +diff -up PathTools/lib/File/Spec/VMS.pm.cve PathTools/lib/File/Spec/VMS.pm +--- PathTools/lib/File/Spec/VMS.pm.cve 2016-03-01 13:33:02.000000000 +0100 ++++ PathTools/lib/File/Spec/VMS.pm 2016-08-02 13:39:39.814316060 +0200 +@@ -39,7 +39,10 @@ via the C CRT + + my $use_feature; + BEGIN { +- if (eval { local $SIG{__DIE__}; require VMS::Feature; }) { ++ if (eval { local $SIG{__DIE__}; ++ local @INC = @INC; ++ pop @INC if $INC[-1] eq '.'; ++ require VMS::Feature; }) { + $use_feature = 1; + } + } +diff -up PathTools/lib/File/Spec/Win32.pm.cve PathTools/lib/File/Spec/Win32.pm +--- PathTools/lib/File/Spec/Win32.pm.cve 2016-03-01 13:33:02.000000000 +0100 ++++ PathTools/lib/File/Spec/Win32.pm 2016-08-02 13:39:39.814316060 +0200 +@@ -90,7 +90,11 @@ Default: 1 + =cut + + sub case_tolerant { +- eval { require Win32API::File; } or return 1; ++ eval { ++ local @INC = @INC; ++ pop @INC if $INC[-1] eq '.'; ++ require Win32API::File; ++ } or return 1; + my $drive = shift || "C:"; + my $osFsType = "\0"x256; + my $osVolName = "\0"x256; diff --git a/perl-PathTools.spec b/perl-PathTools.spec index 386e2c6..0b1e7fe 100644 --- a/perl-PathTools.spec +++ b/perl-PathTools.spec @@ -1,7 +1,7 @@ %global base_version 3.62 Name: perl-PathTools Version: 3.63 -Release: 365%{?dist} +Release: 366%{?dist} Summary: PathTools Perl module (Cwd, File::Spec) License: (GPL+ or Artistic) and BSD Group: Development/Libraries @@ -11,6 +11,8 @@ Source0: http://www.cpan.org/authors/id/R/RJ/RJBS/PathTools-%{base_versio Patch0: PathTools-3.47-Disable-VMS-tests.patch # Unbundled from perl 5.24.0 Patch1: PathTools-3.62-Upgrade-to-3.63.patch +# Avoid loading optional modules from default . (CVE-2016-1238) +Patch2: PathTools-3.63-CVE-2016-1238-avoid-loading-optional-modules-from.patch BuildRequires: coreutils BuildRequires: findutils BuildRequires: gcc @@ -48,6 +50,7 @@ This is the combined distribution for the File::Spec and Cwd modules. %setup -q -n PathTools-%{base_version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 # Do not distribute File::Spec::VMS as it works on VMS only (bug #973713) rm lib/File/Spec/VMS.pm @@ -78,6 +81,9 @@ make test %{_mandir}/man3/* %changelog +* Wed Aug 03 2016 Jitka Plesnikova - 3.63-366 +- Avoid loading optional modules from default . (CVE-2016-1238) + * Sat May 14 2016 Jitka Plesnikova - 3.63-365 - Increase release to favour standalone package