| Subject: | CVE-2016-1238: avoid loading optional Net::LocalCfg from default . |
Net::Cfg treats Net::LocalCfg as an optional load, if a site does not
have Net::LocalCfg in the standard places perl will attempt to load
it from the . entry in @INC.
If the current directory happens to be world writable (like /tmp) an
attacker can create Net/LocalCfg.pm to run code as any user that
runs code that loads Net::Cfg in that directory.
This patch temporarily removes the default . entry from @INC when
loading Net::LocalCfg to prevent that.
Also available as a pull request:
https://github.com/steve-m-hay/perl-libnet/pull/29
Tony
| Subject: | 0001-CVE-2016-1238-avoid-loading-Net-LocalCfg-from-defaul.patch |
From 0d6c5b25583e098b7b85ff89a9a74f8e7d80ba55 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 28 Jul 2016 11:25:58 +1000
Subject: [PATCH] CVE-2016-1238: avoid loading Net::LocalCfg from default .
Net::Cfg treats Net::LocalCfg as an optional load, if a site does not
have Net::LocalCfg in the standard places perl will attempt to load
it from the . entry in @INC.
If the current directory happens to be world writable (like /tmp) an
attacker can create Net/LocalCfg.pm to run code as any user that
runs code that loads Net::Cfg in that directory.
This patch temporarily removes the default . entry from @INC when
loading Net::LocalCfg to prevent that.
---
lib/Net/Config.pm | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/Net/Config.pm b/lib/Net/Config.pm
index 0fb8713..a593538 100644
--- a/lib/Net/Config.pm
+++ b/lib/Net/Config.pm
@@ -24,7 +24,12 @@ our $VERSION = "3.10";
our($CONFIGURE, $LIBNET_CFG);
-eval { local $SIG{__DIE__}; require Net::LocalCfg };
+eval {
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
+ local $SIG{__DIE__};
+ require Net::LocalCfg;
+};
our %NetConfig = (
nntp_hosts => [],
--
2.1.4