Bug #116506 for bignum: CVE-2016-1238: bignum, bigint, bigrat may load an optional module from the current directory

Tue Jul 26 21:47:31 2016 TONYC [...] cpan.org - Ticket created

Subject:

CVE-2016-1238: bignum, bigint, bigrat may load an optional module from the current directory

bignum, bigint, bigrat all attempt to load an optional module Math::BigInt::Lite Since perl includes . in @INC by default, if a program that uses any of the above modules is run from a directory writable by other users (like /tmp) an attacker can create Math/BigInt/Lite.pm in that directory to run code as the other user. The attached patch temporarily removes that default . from @INC when attempting to load Math::BigInt::Lite to prevent that attack. The change is in the maint-5.22, maint-5.24 and blead perl branches. Tony

Subject:

bignum-cve-2016-1238.patch

diff -ru bignum-0.43-orig/lib/bigint.pm bignum-0.43/lib/bigint.pm --- bignum-0.43-orig/lib/bigint.pm 2016-05-04 09:57:00.000000000 +1000 +++ bignum-0.43/lib/bigint.pm 2016-07-27 11:37:39.001453320 +1000 @@ -315,6 +315,8 @@ } else { # see if we can find Math::BigInt::Lite if (!defined $a && !defined $p) { # rounding won't work to well + local @INC = @INC; + pop @INC if $INC[-1] eq '.'; if (eval { require Math::BigInt::Lite; 1 }) { @import = (); # :constant in Lite, not MBI Math::BigInt::Lite->import(':constant'); diff -ru bignum-0.43-orig/lib/bignum.pm bignum-0.43/lib/bignum.pm --- bignum-0.43-orig/lib/bignum.pm 2016-04-21 18:01:04.000000000 +1000 +++ bignum-0.43/lib/bignum.pm 2016-07-27 11:39:44.966330624 +1000 @@ -157,6 +157,8 @@ else { # see if we can find Math::BigInt::Lite if (!defined $a && !defined $p) { # rounding won't work to well + local @INC = @INC; + pop @INC if $INC[-1] eq '.'; if (eval { require Math::BigInt::Lite; 1 }) { @import = (); # :constant in Lite, not MBI Math::BigInt::Lite->import(':constant'); diff -ru bignum-0.43-orig/lib/bigrat.pm bignum-0.43/lib/bigrat.pm --- bignum-0.43-orig/lib/bigrat.pm 2016-04-21 18:01:04.000000000 +1000 +++ bignum-0.43/lib/bigrat.pm 2016-07-27 11:39:55.970407209 +1000 @@ -150,6 +150,8 @@ else { # see if we can find Math::BigInt::Lite if (!defined $a && !defined $p) { # rounding won't work to well + local @INC = @INC; + pop @INC if $INC[-1] eq '.'; if (eval { require Math::BigInt::Lite; 1 }) { @import = (); # :constant in Lite, not MBI Math::BigInt::Lite->import(':constant');

Sun Nov 20 10:32:13 2016 peter.john.acklam [...] gmail.com - Status changed from 'new' to 'resolved'

Sun Nov 20 10:32:19 2016 peter.john.acklam [...] gmail.com - Fixed in 0.44 added