Skip Menu |

This queue is for tickets about the Digest-SHA CPAN distribution.

Report information
The Basics
Id: 116513
Status: resolved
Priority: 0/
Queue: Digest-SHA
People
Owner: mshelor [...] cpan.org
Requestors: TONYC [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: 5.96

History Show all quoted text
  Wed Jul 27 00:26:21 2016 TONYC [...] cpan.org - Ticket created
Subject: CVE-2016-1238: shasum may load an optional module from the current directory
shasum treats Digest::SHA and Digest::SHA::PurePerl as optional modules (which is optional depends on -R) If, with -R, only Digest::SHA is installed, an attacker can create for example /tmp/Digest/SHA/PurePerl.pm, if a user then runs shasum with /tmp as the current directory then shasum will load and run the attacker's code. The attached patch modifies @INC before any modules are loaded to remove the default "." entry to prevent this attack. This change is included in maint-5.22, maint-5.24 and blead perl. Tony
Subject: digest-sha-cve-2016-1238.patch
diff -ru Digest-SHA-5.95-orig/shasum Digest-SHA-5.95/shasum --- Digest-SHA-5.95-orig/shasum 2015-01-11 07:09:47.000000000 +1100 +++ Digest-SHA-5.95/shasum 2016-07-27 14:19:11.157223611 +1000 @@ -13,6 +13,7 @@ ## "-0" option for reading bit strings, and ## "-p" option for portable digests (to be deprecated). +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use warnings; use Fcntl;
  Wed Jul 27 22:33:30 2016 mshelor [...] cpan.org - Taken
  Wed Jul 27 22:36:35 2016 mshelor [...] cpan.org - Correspondence added
Yes indeed ... thanks for the patch. Will be applied in next release (5.96), to appear shortly. Mark
  Wed Jul 27 22:36:36 2016 The RT System itself - Status changed from 'new' to 'open'
  Thu Jul 28 11:27:39 2016 mshelor [...] cpan.org - Status changed from 'open' to 'resolved'
  Thu Jul 28 11:27:39 2016 mshelor [...] cpan.org - Fixed in 5.96 added