| Subject: | CVE-2016-1238: ptar, ptardiff, ptargrep may load optional modules from the current directory |
The attached patch prevents ptar, ptardiff and ptargrep from loading optional
compression modules from the default current directory entry in @INC.
This change is included in maint-5.22, maint-5.24 and blead perl.
Tony
| Subject: | 0001-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch |
From 885399c04ba75b06eb5fb6e96a7f0ad83f1a3c29 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 27 Jul 2016 11:08:21 +1000
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
Avoid loading optional modules from the current directory entry in
@INC that perl adds by default.
If these tools are used in /tmp for example an attacker can use the
. entry as a vector to run code with the rights of the current user.
---
bin/ptar | 1 +
bin/ptardiff | 1 +
bin/ptargrep | 1 +
3 files changed, 3 insertions(+)
diff --git a/bin/ptar b/bin/ptar
index 0eaffa7..9dc6402 100644
--- a/bin/ptar
+++ b/bin/ptar
@@ -1,6 +1,7 @@
#!/usr/bin/perl
use strict;
+BEGIN { pop @INC if $INC[-1] eq '.' }
use File::Find;
use Getopt::Std;
use Archive::Tar;
diff --git a/bin/ptardiff b/bin/ptardiff
index 66bd859..4668fa6 100644
--- a/bin/ptardiff
+++ b/bin/ptardiff
@@ -1,5 +1,6 @@
#!/usr/bin/perl
+BEGIN { pop @INC if $INC[-1] eq '.' }
use strict;
use Archive::Tar;
use Getopt::Std;
diff --git a/bin/ptargrep b/bin/ptargrep
index 1a320f1..8dc6b4f 100644
--- a/bin/ptargrep
+++ b/bin/ptargrep
@@ -4,6 +4,7 @@
# archive. See 'ptargrep --help' for more documentation.
#
+BEGIN { pop @INC if $INC[-1] eq '.' }
use strict;
use warnings;
--
2.1.4