Subject: | CVE-2016-1238: avoid loading optional modules from default . |
App::Prove (and hence prove) attempts to load plugins under both
the App::Prove::Plugin namespace and under the base namespace.
If a plugin is only available under the base namespace, and a user runs
prove from a world-writable directory such as /tmp, an attacker can
App/Prove/Plugin/PluginName.pm to run code as the user running prove.
The attached patch removes the default . from @INC for compilation and
execution of prove to prevent this.
Patch also available as a pull request:
https://github.com/Perl-Toolchain-Gang/Test-Harness/pull/53
Tony
Subject: | 0001-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch |
From 59697efbfe58a2a9c2cc2aba11eca2acb64b27a8 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 28 Jul 2016 14:18:12 +1000
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
App::Prove (and hence prove) attempts to load plugins under both
the App::Prove::Plugin namespace and under the base namespace.
If a plugin is only available under the base namespace, and a user runs
prove from a world-writable directory such as /tmp, an attacker can
App/Prove/Plugin/PluginName.pm to run code as the user running prove.
---
bin/prove | 1 +
1 file changed, 1 insertion(+)
diff --git a/bin/prove b/bin/prove
index 6637cc4..d71b238 100755
--- a/bin/prove
+++ b/bin/prove
@@ -1,5 +1,6 @@
#!/usr/bin/perl -w
+BEGIN { pop @INC if $INC[-1] eq '.' }
use strict;
use warnings;
use App::Prove;
--
2.1.4