Subject: | CVE-2016-1238: avoid loading optional modules from default . |
Sys::Syslog treats two modules as optional, attemptting to load them
and not requiring them (Win32 only.)
If a user runs a program using Sys::Syslog in a world writable
directory (like %windir%\Temp) a local attacker can create
Win32\EventLog.pm in that directory to run code as the running user.
This patch temporarily removes the default . from @INC to prevent
that attack.
Also available as a pull request at:
https://github.com/maddingue/Sys-Syslog/pull/7
Tony
Subject: | 0001-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch |
From 15488839b5e8141d120db913c22fdbada9597b93 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 28 Jul 2016 13:34:55 +1000
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
Sys::Syslog treats two modules as optional, attemptting to load them
and not requiring them (Win32 only.)
If a user runs a program using Sys::Syslog in a world writable
directory (like %windir%\Temp) a local attacker can create
Win32\EventLog.pm in that directory to run code as the running user.
This patch temporarily removes the default . from @INC to prevent
that attack.
---
Syslog.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Syslog.pm b/Syslog.pm
index 7978f04..06169a8 100644
--- a/Syslog.pm
+++ b/Syslog.pm
@@ -918,6 +918,8 @@ sub silent_eval (&) {
sub can_load {
my ($module, $verbose) = @_;
local($SIG{__DIE__}, $SIG{__WARN__}, $@);
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
my $loaded = eval "use $module; 1";
warn $@ if not $loaded and $verbose;
return $loaded
--
2.1.4