Skip Menu |

This queue is for tickets about the Test-Harness CPAN distribution.

Report information
The Basics
Id: 116545
Status: new
Priority: 0/
Queue: Test-Harness

People
Owner: Nobody in particular
Requestors: TONYC [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: CVE-2016-1238: avoid loading optional modules from default .
App::Prove (and hence prove) attempts to load plugins under both the App::Prove::Plugin namespace and under the base namespace. If a plugin is only available under the base namespace, and a user runs prove from a world-writable directory such as /tmp, an attacker can App/Prove/Plugin/PluginName.pm to run code as the user running prove. The attached patch removes the default . from @INC for compilation and execution of prove to prevent this. Patch also available as a pull request: https://github.com/Perl-Toolchain-Gang/Test-Harness/pull/53 Tony
Subject: 0001-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch
From 59697efbfe58a2a9c2cc2aba11eca2acb64b27a8 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Thu, 28 Jul 2016 14:18:12 +1000 Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default . App::Prove (and hence prove) attempts to load plugins under both the App::Prove::Plugin namespace and under the base namespace. If a plugin is only available under the base namespace, and a user runs prove from a world-writable directory such as /tmp, an attacker can App/Prove/Plugin/PluginName.pm to run code as the user running prove. --- bin/prove | 1 + 1 file changed, 1 insertion(+) diff --git a/bin/prove b/bin/prove index 6637cc4..d71b238 100755 --- a/bin/prove +++ b/bin/prove @@ -1,5 +1,6 @@ #!/usr/bin/perl -w +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use warnings; use App::Prove; -- 2.1.4