35 lines
1.0 KiB
Diff
35 lines
1.0 KiB
Diff
From 15488839b5e8141d120db913c22fdbada9597b93 Mon Sep 17 00:00:00 2001
|
|
From: Tony Cook <tony@develop-help.com>
|
|
Date: Thu, 28 Jul 2016 13:34:55 +1000
|
|
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
|
|
|
|
Sys::Syslog treats two modules as optional, attemptting to load them
|
|
and not requiring them (Win32 only.)
|
|
|
|
If a user runs a program using Sys::Syslog in a world writable
|
|
directory (like %windir%\Temp) a local attacker can create
|
|
Win32\EventLog.pm in that directory to run code as the running user.
|
|
|
|
This patch temporarily removes the default . from @INC to prevent
|
|
that attack.
|
|
---
|
|
Syslog.pm | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/Syslog.pm b/Syslog.pm
|
|
index 7978f04..06169a8 100644
|
|
--- a/Syslog.pm
|
|
+++ b/Syslog.pm
|
|
@@ -918,6 +918,8 @@ sub silent_eval (&) {
|
|
sub can_load {
|
|
my ($module, $verbose) = @_;
|
|
local($SIG{__DIE__}, $SIG{__WARN__}, $@);
|
|
+ local @INC = @INC;
|
|
+ pop @INC if $INC[-1] eq '.';
|
|
my $loaded = eval "use $module; 1";
|
|
warn $@ if not $loaded and $verbose;
|
|
return $loaded
|
|
--
|
|
2.1.4
|
|
|