| Subject: | CVE-2016-1238: avoid loading optional Locale::Maketext::Lexicon from default . |
Locale::Maketext::Simple treats Locale::Maketext::Lexicon as an optional module.
If Locale::Maketext::Lexicon is not installed, and a process using Locale::Maketext::Simple is run from a world-writable directory (like /tmp) a local
attacker can create Local/Maketext/Simple.pm in that directory to run code
as the other user.
The attached patch prevents that attack by removing the default "." from the end of @INC temporarily while loading Locale::Maketext::Lexicon.
Tony
| Subject: | Locale-Maketext-Simple-CVE-2016-1238.patch |
diff -ru Locale-Maketext-Simple-0.21-orig/lib/Locale/Maketext/Simple.pm Locale-Maketext-Simple-0.21/lib/Locale/Maketext/Simple.pm
--- Locale-Maketext-Simple-0.21-orig/lib/Locale/Maketext/Simple.pm 2009-08-18 00:05:27.000000000 +1000
+++ Locale-Maketext-Simple-0.21/lib/Locale/Maketext/Simple.pm 2016-07-28 11:31:43.525178896 +1000
@@ -134,7 +134,12 @@
my $pkg = join('::', grep { defined and length } $args{Class}, $args{Subclass});
return $Loc{$pkg} if exists $Loc{$pkg};
- eval { require Locale::Maketext::Lexicon; 1 } or return;
+ eval {
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
+ require Locale::Maketext::Lexicon;
+ 1
+ } or return;
$Locale::Maketext::Lexicon::VERSION > 0.20 or return;
eval { require File::Spec; 1 } or return;