Avoid loading optional modules from default . (CVE-2016-1238)
This commit is contained in:
Jitka Plesnikova
parent
7b0f41b5ac
commit
6301165364
@ -0,0 +1,34 @@
|
||||
From 15488839b5e8141d120db913c22fdbada9597b93 Mon Sep 17 00:00:00 2001
|
||||
From: Tony Cook <tony@develop-help.com>
|
||||
Date: Thu, 28 Jul 2016 13:34:55 +1000
|
||||
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
|
||||
|
||||
Sys::Syslog treats two modules as optional, attemptting to load them
|
||||
and not requiring them (Win32 only.)
|
||||
|
||||
If a user runs a program using Sys::Syslog in a world writable
|
||||
directory (like %windir%\Temp) a local attacker can create
|
||||
Win32\EventLog.pm in that directory to run code as the running user.
|
||||
|
||||
This patch temporarily removes the default . from @INC to prevent
|
||||
that attack.
|
||||
---
|
||||
Syslog.pm | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/Syslog.pm b/Syslog.pm
|
||||
index 7978f04..06169a8 100644
|
||||
--- a/Syslog.pm
|
||||
+++ b/Syslog.pm
|
||||
@@ -918,6 +918,8 @@ sub silent_eval (&) {
|
||||
sub can_load {
|
||||
my ($module, $verbose) = @_;
|
||||
local($SIG{__DIE__}, $SIG{__WARN__}, $@);
|
||||
+ local @INC = @INC;
|
||||
+ pop @INC if $INC[-1] eq '.';
|
||||
my $loaded = eval "use $module; 1";
|
||||
warn $@ if not $loaded and $verbose;
|
||||
return $loaded
|
||||
--
|
||||
2.1.4
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: perl-Sys-Syslog
|
||||
Version: 0.34
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: Perl interface to the UNIX syslog(3) calls
|
||||
# README: GPL+ or Artistic
|
||||
# ppport.h: GPL+ or Artistic
|
||||
@ -11,6 +11,8 @@ License: GPL+ or Artistic
|
||||
Group: Development/Libraries
|
||||
URL: http://search.cpan.org/dist/Sys-Syslog/
|
||||
Source0: http://www.cpan.org/authors/id/S/SA/SAPER/Sys-Syslog-%{version}.tar.gz
|
||||
# Avoid loading optional modules from default . (CVE-2016-1238)
|
||||
Patch0: Sys-Syslog-0.34-CVE-2016-1238-avoid-loading-optional-modules-from.patch
|
||||
BuildRequires: coreutils
|
||||
BuildRequires: findutils
|
||||
BuildRequires: gcc
|
||||
@ -65,6 +67,8 @@ a string priority and a list of printf() arguments just like at syslog(3).
|
||||
|
||||
%prep
|
||||
%setup -q -n Sys-Syslog-%{version}
|
||||
%patch0 -p1
|
||||
|
||||
chmod -x eg/*
|
||||
# Inhibit bundled syslog.h
|
||||
rm -rf fallback
|
||||
@ -96,6 +100,9 @@ make test
|
||||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Wed Aug 03 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.34-4
|
||||
- Avoid loading optional modules from default . (CVE-2016-1238)
|
||||
|
||||
* Wed May 18 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.34-3
|
||||
- Perl 5.24 re-rebuild of bootstrapped packages
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user