| From 9987be3d24286d96d9dccec0433253ee8ad894b4 Mon Sep 17 00:00:00 2001 |
| From: Tony Cook <tony@develop-help.com> |
| Date: Tue, 21 Jun 2016 10:02:02 +1000 |
| Subject: [PATCH] perl: fix CVE-2016-1238 |
| |
| (perl #127834) remove . from the end of @INC if complex modules are loaded |
| |
| While currently Encode and Storable are know to attempt to load modules |
| not included in the core, updates to other modules may lead to those |
| also attempting to load new modules, so be safe and remove . for those |
| as well. |
| |
| Backport patch from http://perl5.git.perl.org/perl.git/commitdiff/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab |
| |
| Upstream-Status: Backport |
| CVE: CVE-2016-1238 |
| Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> |
| --- |
| cpan/Archive-Tar/bin/ptar | 1 + |
| cpan/Archive-Tar/bin/ptardiff | 1 + |
| cpan/Archive-Tar/bin/ptargrep | 1 + |
| cpan/CPAN/scripts/cpan | 1 + |
| cpan/Digest-SHA/shasum | 1 + |
| cpan/Encode/bin/enc2xs | 1 + |
| cpan/Encode/bin/encguess | 1 + |
| cpan/Encode/bin/piconv | 1 + |
| cpan/Encode/bin/ucmlint | 1 + |
| cpan/Encode/bin/unidump | 1 + |
| cpan/ExtUtils-MakeMaker/bin/instmodsh | 1 + |
| cpan/IO-Compress/bin/zipdetails | 1 + |
| cpan/JSON-PP/bin/json_pp | 1 + |
| cpan/Test-Harness/bin/prove | 1 + |
| dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp | 1 + |
| dist/Module-CoreList/corelist | 1 + |
| ext/Pod-Html/bin/pod2html | 1 + |
| utils/c2ph.PL | 1 + |
| utils/h2ph.PL | 2 ++ |
| utils/h2xs.PL | 2 ++ |
| utils/libnetcfg.PL | 1 + |
| utils/perlbug.PL | 1 + |
| utils/perldoc.PL | 5 ++++- |
| utils/perlivp.PL | 2 ++ |
| utils/splain.PL | 6 ++++++ |
| 25 files changed, 36 insertions(+), 1 deletion(-) |
| |
| diff --git a/cpan/Archive-Tar/bin/ptar b/cpan/Archive-Tar/bin/ptar |
| index 0eaffa7..9dc6402 100644 |
| --- a/cpan/Archive-Tar/bin/ptar |
| +++ b/cpan/Archive-Tar/bin/ptar |
| @@ -1,6 +1,7 @@ |
| #!/usr/bin/perl |
| use strict; |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use File::Find; |
| use Getopt::Std; |
| use Archive::Tar; |
| diff --git a/cpan/Archive-Tar/bin/ptardiff b/cpan/Archive-Tar/bin/ptardiff |
| index 66bd859..4668fa6 100644 |
| --- a/cpan/Archive-Tar/bin/ptardiff |
| +++ b/cpan/Archive-Tar/bin/ptardiff |
| @@ -1,5 +1,6 @@ |
| #!/usr/bin/perl |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use strict; |
| use Archive::Tar; |
| use Getopt::Std; |
| diff --git a/cpan/Archive-Tar/bin/ptargrep b/cpan/Archive-Tar/bin/ptargrep |
| index 1a320f1..8dc6b4f 100644 |
| --- a/cpan/Archive-Tar/bin/ptargrep |
| +++ b/cpan/Archive-Tar/bin/ptargrep |
| @@ -4,6 +4,7 @@ |
| # archive. See 'ptargrep --help' for more documentation. |
| # |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use strict; |
| use warnings; |
| |
| diff --git a/cpan/CPAN/scripts/cpan b/cpan/CPAN/scripts/cpan |
| index 5f4320e..ccba47e 100644 |
| --- a/cpan/CPAN/scripts/cpan |
| +++ b/cpan/CPAN/scripts/cpan |
| @@ -1,5 +1,6 @@ |
| #!/usr/local/bin/perl |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use strict; |
| use vars qw($VERSION); |
| |
| diff --git a/cpan/Digest-SHA/shasum b/cpan/Digest-SHA/shasum |
| index 14ddd60..62a2b0e 100644 |
| --- a/cpan/Digest-SHA/shasum |
| +++ b/cpan/Digest-SHA/shasum |
| @@ -13,6 +13,7 @@ |
| ## "-0" option for reading bit strings, and |
| ## "-p" option for portable digests (to be deprecated). |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use strict; |
| use warnings; |
| use Fcntl; |
| diff --git a/cpan/Encode/bin/enc2xs b/cpan/Encode/bin/enc2xs |
| index 4d64e38..473a15c 100644 |
| --- a/cpan/Encode/bin/enc2xs |
| +++ b/cpan/Encode/bin/enc2xs |
| @@ -4,6 +4,7 @@ BEGIN { |
| # with $ENV{PERL_CORE} set |
| # In case we need it in future... |
| require Config; import Config; |
| + pop @INC if $INC[-1] eq '.'; |
| } |
| use strict; |
| use warnings; |
| diff --git a/cpan/Encode/bin/encguess b/cpan/Encode/bin/encguess |
| index 5d7ac80..0be5c7c 100644 |
| --- a/cpan/Encode/bin/encguess |
| +++ b/cpan/Encode/bin/encguess |
| @@ -1,5 +1,6 @@ |
| #!./perl |
| use 5.008001; |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use strict; |
| use warnings; |
| use Encode; |
| diff --git a/cpan/Encode/bin/piconv b/cpan/Encode/bin/piconv |
| index c1dad9e..60b2a59 100644 |
| --- a/cpan/Encode/bin/piconv |
| +++ b/cpan/Encode/bin/piconv |
| @@ -1,6 +1,7 @@ |
| #!./perl |
| # $Id: piconv,v 2.7 2014/05/31 09:48:48 dankogai Exp $ |
| # |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use 5.8.0; |
| use strict; |
| use Encode ; |
| diff --git a/cpan/Encode/bin/ucmlint b/cpan/Encode/bin/ucmlint |
| index 622376d..25e0d67 100644 |
| --- a/cpan/Encode/bin/ucmlint |
| +++ b/cpan/Encode/bin/ucmlint |
| @@ -3,6 +3,7 @@ |
| # $Id: ucmlint,v 2.2 2008/03/12 09:51:11 dankogai Exp $ |
| # |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use strict; |
| our $VERSION = do { my @r = (q$Revision: 2.2 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r }; |
| |
| diff --git a/cpan/Encode/bin/unidump b/cpan/Encode/bin/unidump |
| index ae0da30..f190827 100644 |
| --- a/cpan/Encode/bin/unidump |
| +++ b/cpan/Encode/bin/unidump |
| @@ -1,5 +1,6 @@ |
| #!./perl |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use strict; |
| use Encode; |
| use Getopt::Std; |
| diff --git a/cpan/ExtUtils-MakeMaker/bin/instmodsh b/cpan/ExtUtils-MakeMaker/bin/instmodsh |
| index e551434..b3b109f 100644 |
| --- a/cpan/ExtUtils-MakeMaker/bin/instmodsh |
| +++ b/cpan/ExtUtils-MakeMaker/bin/instmodsh |
| @@ -1,5 +1,6 @@ |
| #!/usr/bin/perl -w |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use strict; |
| use IO::File; |
| use ExtUtils::Packlist; |
| diff --git a/cpan/IO-Compress/bin/zipdetails b/cpan/IO-Compress/bin/zipdetails |
| index 0249850..1b9c70a 100644 |
| --- a/cpan/IO-Compress/bin/zipdetails |
| +++ b/cpan/IO-Compress/bin/zipdetails |
| @@ -5,6 +5,7 @@ |
| # Display info on the contents of a Zip file |
| # |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use strict; |
| use warnings ; |
| |
| diff --git a/cpan/JSON-PP/bin/json_pp b/cpan/JSON-PP/bin/json_pp |
| index df9d243..896cd2f 100644 |
| --- a/cpan/JSON-PP/bin/json_pp |
| +++ b/cpan/JSON-PP/bin/json_pp |
| @@ -1,5 +1,6 @@ |
| #!/usr/bin/perl |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use strict; |
| use Getopt::Long; |
| |
| diff --git a/cpan/Test-Harness/bin/prove b/cpan/Test-Harness/bin/prove |
| index 6637cc4..d71b238 100644 |
| --- a/cpan/Test-Harness/bin/prove |
| +++ b/cpan/Test-Harness/bin/prove |
| @@ -1,5 +1,6 @@ |
| #!/usr/bin/perl -w |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use strict; |
| use warnings; |
| use App::Prove; |
| diff --git a/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp b/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp |
| index e2ac71a..d596cdf 100644 |
| --- a/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp |
| +++ b/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp |
| @@ -1,5 +1,6 @@ |
| #!perl |
| use 5.006; |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use strict; |
| eval { |
| require ExtUtils::ParseXS; |
| diff --git a/dist/Module-CoreList/corelist b/dist/Module-CoreList/corelist |
| index aa4a945..bbe61cc 100644 |
| --- a/dist/Module-CoreList/corelist |
| +++ b/dist/Module-CoreList/corelist |
| @@ -130,6 +130,7 @@ requested perl versions. |
| |
| =cut |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use Module::CoreList; |
| use Getopt::Long qw(:config no_ignore_case); |
| use Pod::Usage; |
| diff --git a/ext/Pod-Html/bin/pod2html b/ext/Pod-Html/bin/pod2html |
| index b022859..7d1d232 100644 |
| --- a/ext/Pod-Html/bin/pod2html |
| +++ b/ext/Pod-Html/bin/pod2html |
| @@ -216,6 +216,7 @@ This program is distributed under the Artistic License. |
| |
| =cut |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use Pod::Html; |
| |
| pod2html @ARGV; |
| diff --git a/utils/c2ph.PL b/utils/c2ph.PL |
| index 13389ec..cef0b5c 100644 |
| --- a/utils/c2ph.PL |
| +++ b/utils/c2ph.PL |
| @@ -280,6 +280,7 @@ Anyway, here it is. Should run on perl v4 or greater. Maybe less. |
| |
| $RCSID = '$Id: c2ph,v 1.7 95/10/28 10:41:47 tchrist Exp Locker: tchrist $'; |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use File::Temp; |
| |
| ###################################################################### |
| diff --git a/utils/h2ph.PL b/utils/h2ph.PL |
| index 55c1f72..300b756 100644 |
| --- a/utils/h2ph.PL |
| +++ b/utils/h2ph.PL |
| @@ -36,6 +36,8 @@ $Config{startperl} |
| |
| print OUT <<'!NO!SUBS!'; |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| + |
| use strict; |
| |
| use Config; |
| diff --git a/utils/h2xs.PL b/utils/h2xs.PL |
| index 268f680..f95ee0c 100644 |
| --- a/utils/h2xs.PL |
| +++ b/utils/h2xs.PL |
| @@ -35,6 +35,8 @@ $Config{startperl} |
| |
| print OUT <<'!NO!SUBS!'; |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| + |
| use warnings; |
| |
| =head1 NAME |
| diff --git a/utils/libnetcfg.PL b/utils/libnetcfg.PL |
| index 59a2de8..26d2f99 100644 |
| --- a/utils/libnetcfg.PL |
| +++ b/utils/libnetcfg.PL |
| @@ -97,6 +97,7 @@ Jarkko Hietaniemi, conversion into libnetcfg for inclusion into Perl 5.8. |
| |
| # $Id: Configure,v 1.8 1997/03/04 09:22:32 gbarr Exp $ |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use strict; |
| use IO::File; |
| use Getopt::Std; |
| diff --git a/utils/perlbug.PL b/utils/perlbug.PL |
| index 885785a..ae8c343 100644 |
| --- a/utils/perlbug.PL |
| +++ b/utils/perlbug.PL |
| @@ -57,6 +57,7 @@ print OUT <<'!NO!SUBS!'; |
| my @patches = Config::local_patches(); |
| my $patch_tags = join "", map /(\S+)/ ? "+$1 " : (), @patches; |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| use warnings; |
| use strict; |
| use Config; |
| diff --git a/utils/perldoc.PL b/utils/perldoc.PL |
| index e201de9..cd60bd4 100644 |
| --- a/utils/perldoc.PL |
| +++ b/utils/perldoc.PL |
| @@ -44,7 +44,10 @@ $Config{startperl} |
| # This "$file" file was generated by "$0" |
| |
| require 5; |
| -BEGIN { \$^W = 1 if \$ENV{'PERLDOCDEBUG'} } |
| +BEGIN { |
| + \$^W = 1 if \$ENV{'PERLDOCDEBUG'}; |
| + pop \@INC if \$INC[-1] eq '.'; |
| +} |
| use Pod::Perldoc; |
| exit( Pod::Perldoc->run() ); |
| |
| diff --git a/utils/perlivp.PL b/utils/perlivp.PL |
| index cc49f96..696a44e 100644 |
| --- a/utils/perlivp.PL |
| +++ b/utils/perlivp.PL |
| @@ -39,6 +39,8 @@ print OUT "\n# perlivp $^V\n"; |
| |
| print OUT <<'!NO!SUBS!'; |
| |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| + |
| sub usage { |
| warn "@_\n" if @_; |
| print << " EOUSAGE"; |
| diff --git a/utils/splain.PL b/utils/splain.PL |
| index 9c70b61..cae84a0 100644 |
| --- a/utils/splain.PL |
| +++ b/utils/splain.PL |
| @@ -38,6 +38,12 @@ $Config{startperl} |
| if \$running_under_some_shell; |
| !GROK!THIS! |
| |
| +print <<'!NO!SUBS!'; |
| + |
| +BEGIN { pop @INC if $INC[-1] eq '.' } |
| + |
| +!NO!SUBS! |
| + |
| while (<IN>) { |
| print OUT unless /^package diagnostics/; |
| } |
| -- |
| 2.8.1 |
| |