| Subject: | CVE-2016-1238: Digest may load an optional module from the current directory |
As described in the patch this can be used by a local attacker to execute code
as another user.
Patch also available as a pull request at
https://github.com/gisle/digest/pull/3
Tony
| Subject: | 0001-CVE-2016-1238-prevent-loading-optional-modules-from-.patch |
From 8cfc4916736280dd76655fdef5b78331bfac414d Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 27 Jul 2016 14:04:59 +1000
Subject: [PATCH] CVE-2016-1238: prevent loading optional modules from default
.
Digest attempts to load Digest::SHA, only failing if Digest::SHA2
is also unavailable.
If a system has Digest installed, but not Digest::SHA, and a user
attempts to run a program using Digest with SHA-256 from a world
writable directory such as /tmp and since perl adds "." to the end
of @INC an attacker can run code as the original user by creating
/tmp/Digest/SHA.pm.
The change temporarily removes the default "." entry from the end of
@INC preventing that attack.
---
Digest.pm | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/Digest.pm b/Digest.pm
index 2ae6eec..c75649f 100644
--- a/Digest.pm
+++ b/Digest.pm
@@ -42,7 +42,11 @@ sub new
unless (exists ${"$class\::"}{"VERSION"}) {
my $pm_file = $class . ".pm";
$pm_file =~ s{::}{/}g;
- eval { require $pm_file };
+ eval {
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
+ require $pm_file;
+ };
if ($@) {
$err ||= $@;
next;
--
2.1.4