Skip Menu |

This queue is for tickets about the Sys-Syslog CPAN distribution.

Report information
The Basics
Id: 116543
Status: resolved
Priority: 0/
Queue: Sys-Syslog

People
Owner: Nobody in particular
Requestors: TONYC [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: 0.35



Subject: CVE-2016-1238: avoid loading optional modules from default .
Sys::Syslog treats two modules as optional, attemptting to load them and not requiring them (Win32 only.) If a user runs a program using Sys::Syslog in a world writable directory (like %windir%\Temp) a local attacker can create Win32\EventLog.pm in that directory to run code as the running user. This patch temporarily removes the default . from @INC to prevent that attack. Also available as a pull request at: https://github.com/maddingue/Sys-Syslog/pull/7 Tony
Subject: 0001-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch
From 15488839b5e8141d120db913c22fdbada9597b93 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Thu, 28 Jul 2016 13:34:55 +1000 Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default . Sys::Syslog treats two modules as optional, attemptting to load them and not requiring them (Win32 only.) If a user runs a program using Sys::Syslog in a world writable directory (like %windir%\Temp) a local attacker can create Win32\EventLog.pm in that directory to run code as the running user. This patch temporarily removes the default . from @INC to prevent that attack. --- Syslog.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Syslog.pm b/Syslog.pm index 7978f04..06169a8 100644 --- a/Syslog.pm +++ b/Syslog.pm @@ -918,6 +918,8 @@ sub silent_eval (&) { sub can_load { my ($module, $verbose) = @_; local($SIG{__DIE__}, $SIG{__WARN__}, $@); + local @INC = @INC; + pop @INC if $INC[-1] eq '.'; my $loaded = eval "use $module; 1"; warn $@ if not $loaded and $verbose; return $loaded -- 2.1.4
Thanks. Patch applied, then rewrote so that Sys::Syslog::Win32 is loaded from the only valid location. Released in version 0.35. -- Close the world, txEn eht nepO.