| Subject: | CVE-2016-1238: avoid loading optional modules from default . |
Perl includes . at the end of @INC by default, if a user runs a program that
loads IO::Uncompress::AnyUncompress while in a world-writable directory (such
as /tmp) and any of the optional modules loaded in the BEGIN block in that file
are not installed, an attacker can create that module in that directory to
run code as the other user.
To avoid this, temporarily remove . from the end of @INC while loading optional
modules.
zipdetails uses Encode, which has the same problem with Encode::ConfigLocal.
To avoid this, remove . from @INC at the start of zipdetails.
These changes are included in maint-5.22, maint-5.24 and blead perl.
Tony
| Subject: | IO-Compress-cve-2016-1238.patch |
diff -ru IO-Compress-2.069-orig/bin/zipdetails IO-Compress-2.069/bin/zipdetails
--- IO-Compress-2.069-orig/bin/zipdetails 2014-01-31 07:52:56.000000000 +1100
+++ IO-Compress-2.069/bin/zipdetails 2016-07-28 10:10:17.812926303 +1000
@@ -5,6 +5,7 @@
# Display info on the contents of a Zip file
#
+BEGIN { pop @INC if $INC[-1] eq '.' }
use strict;
use warnings ;
diff -ru IO-Compress-2.069-orig/lib/IO/Uncompress/AnyUncompress.pm IO-Compress-2.069/lib/IO/Uncompress/AnyUncompress.pm
--- IO-Compress-2.069-orig/lib/IO/Uncompress/AnyUncompress.pm 2015-09-27 04:34:31.000000000 +1000
+++ IO-Compress-2.069/lib/IO/Uncompress/AnyUncompress.pm 2016-07-28 10:08:45.064332089 +1000
@@ -27,6 +27,8 @@
BEGIN
{
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
eval ' use IO::Uncompress::Adapter::Inflate 2.069 ;';
eval ' use IO::Uncompress::Adapter::Bunzip2 2.069 ;';
eval ' use IO::Uncompress::Adapter::LZO 2.069 ;';