Skip Menu |

This queue is for tickets about the Pod-Perldoc CPAN distribution.

Report information
The Basics
Id: 116542
Status: resolved
Priority: 0/
Queue: Pod-Perldoc
People
Owner: Nobody in particular
Requestors: TONYC [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Jul 27 23:20:27 2016 TONYC [...] cpan.org - Ticket created
Subject: CVE-2016-1238: avoid loading optional modules from default .
Pod::Perldoc attempts to load various modules optionally, which with perl's default . at the end of @INC, if a user runs perldoc in a world-writable directory such as /tmp, an attacker can create that module under /tmp to run code as the user of perldoc. The attached patch avoids two instances of this in Pod::Perldoc by temporarily removing the default . from the end of @INC. Also available as a pull request: https://github.com/mrallen1/Pod-Perldoc/pull/26 Tony
  Thu Jul 28 12:30:26 2016 mrallen1 [...] yahoo.com - Correspondence added
On Wed Jul 27 23:20:27 2016, TONYC wrote: Show quoted text
> Also available as a pull request: > > https://github.com/mrallen1/Pod-Perldoc/pull/26
Merged the PR and released 3.26 to CPAN. Thank you for the patch!
  Thu Jul 28 12:30:26 2016 The RT System itself - Status changed from 'new' to 'open'
  Thu Jul 28 12:30:32 2016 mrallen1 [...] yahoo.com - Status changed from 'open' to 'resolved'