Skip Menu |

This queue is for tickets about the MIME-Charset CPAN distribution.

Report information
The Basics
Id: 116459
Status: resolved
Priority: 0/
Queue: MIME-Charset
People
Owner: Nobody in particular
Requestors: CARNIL [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: 1.012.1
Fixed in: (no value)

History Show all quoted text
  Mon Jul 25 13:30:59 2016 CARNIL [...] cpan.org - Ticket created
From: CARNIL [...] cpan.org
Subject: [PATCH] Remove . from @INC when loading modules dynamically
In Debian we are currently applying the following patch to MIME-Charset. We thought you might be interested in it too. Background can be found in http://article.gmane.org/gmane.comp.lang.perl.perl5.porters/160507 From 327106167f69bd629988f0926e5a3a56574ff40a Mon Sep 17 00:00:00 2001 From: Dominic Hargreaves <dom@earth.li> Date: Sun, 24 Jul 2016 20:06:29 +0100 Subject: [PATCH] Remove . from @INC when loading modules dynamically [CVE-2016-1238] The patch is tracked in our Git repository at https://anonscm.debian.org/cgit/pkg-perl/packages/libmime-charset-perl.git/plain/debian/patches/CVE-2016-1238.patch Thanks for considering, Salvatore Bonaccorso, Debian Perl Group
  Mon Jul 25 13:31:00 2016 CARNIL [...] cpan.org - Correspondence added
Here's the patch.

Message body is not shown because sender requested not to inline it.

  Fri Mar 31 21:52:01 2017 jkeenan [...] cpan.org - Correspondence added
On Mon Jul 25 13:30:59 2016, CARNIL wrote: Show quoted text
> In Debian we are currently applying the following patch to > MIME-Charset. > We thought you might be interested in it too. Background can be found > in http://article.gmane.org/gmane.comp.lang.perl.perl5.porters/160507 > > From 327106167f69bd629988f0926e5a3a56574ff40a Mon Sep 17 00:00:00 2001 > From: Dominic Hargreaves <dom@earth.li> > Date: Sun, 24 Jul 2016 20:06:29 +0100 > Subject: [PATCH] Remove . from @INC when loading modules dynamically > [CVE-2016-1238] > > > The patch is tracked in our Git repository at > https://anonscm.debian.org/cgit/pkg-perl/packages/libmime-charset- > perl.git/plain/debian/patches/CVE-2016-1238.patch > > Thanks for considering, > Salvatore Bonaccorso, > Debian Perl Group
Alternatively, consider https://github.com/hatukanezumi/MIME-Charset/pull/1 Thank you very much. Jim Keenan
  Fri Mar 31 21:52:02 2017 The RT System itself - Status changed from 'new' to 'open'
  Sun Apr 02 16:49:40 2017 KENTNL [...] cpan.org - Correspondence added
On 2017-04-01 14:52:01, JKEENAN wrote:

Show quoted text
> Alternatively, consider https://github.com/hatukanezumi/MIME-Charset/pull/1

That fix, and this issue, are barely related

This issue is about a potential runtime bug in MIME::Charset when running on perls where there _is_ a '.' in @INC, where it fixes a security risk by removing it.

That mentioned PR only fixes Makefile.PL so it compiles on newer perls without '.' in @INC.

-- 
- CPAN kentnl@cpan.org
- Gentoo Perl Maintainer kentnl@gentoo.org ( perl@gentoo.org )
  Thu Apr 06 00:40:57 2017 hatuka [...] nezumi.nu - Correspondence added
CARNIL, The patch was applied: https://github.com/hatukanezumi/MIME-Charset/commit/ee95f235 Thank you!
  Thu Apr 06 00:45:04 2017 hatuka [...] nezumi.nu - Correspondence added
Jim, Thank you so much for bug fix, however, I also think your patch does not fix the issue this ticket deals with. Though this ticket will be closed soon, Please submit PR to GitHub repo again. Thank you for cooperation.
  Fri Apr 07 04:44:40 2017 hatuka [...] nezumi.nu - Status changed from 'open' to 'resolved'
  Sun Apr 09 20:41:06 2017 hatuka [...] nezumi.nu - Broken in 1.012.1 added