jplesnik pushed to perl-ExtUtils-MakeMaker (f24). "Avoid loading optional modules from default . (CVE-2016-1238)"

[notifications]

From fafd08c02eb8be62ce65ff0934755bf400511d19 Mon Sep 17 00:00:00 2001
From: Jitka Plesnikova <jples...@redhat.com>
Date: Tue, 9 Aug 2016 13:34:16 +0200
Subject: Avoid loading optional modules from default . (CVE-2016-1238)

---
 ....22-CVE-2016-1238-avoid-loading-optional-modules-from.patch | 10 ++++++++++
 perl-ExtUtils-MakeMaker.spec                                   |  8 +++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 
ExtUtils-MakeMaker-7.22-CVE-2016-1238-avoid-loading-optional-modules-from.patch

diff --git 
a/ExtUtils-MakeMaker-7.22-CVE-2016-1238-avoid-loading-optional-modules-from.patch
 
b/ExtUtils-MakeMaker-7.22-CVE-2016-1238-avoid-loading-optional-modules-from.patch
new file mode 100644
index 0000000..1979f09
--- /dev/null
+++ 
b/ExtUtils-MakeMaker-7.22-CVE-2016-1238-avoid-loading-optional-modules-from.patch
@@ -0,0 +1,10 @@
+diff -up ExtUtils-MakeMaker-7.10/bin/instmodsh.orig 
ExtUtils-MakeMaker-7.10/bin/instmodsh
+--- ExtUtils-MakeMaker-7.10/bin/instmodsh.orig 2016-08-09 13:23:15.679839890 
+0200
++++ ExtUtils-MakeMaker-7.10/bin/instmodsh      2016-08-09 13:23:45.201703094 
+0200
+@@ -1,5 +1,6 @@
+ #!/usr/bin/perl -w
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use IO::File;
+ use ExtUtils::Packlist;
diff --git a/perl-ExtUtils-MakeMaker.spec b/perl-ExtUtils-MakeMaker.spec
index 1efde92..eada55d 100644
--- a/perl-ExtUtils-MakeMaker.spec
+++ b/perl-ExtUtils-MakeMaker.spec
@@ -3,7 +3,7 @@
 
 Name:           perl-%{cpan_name}
 Version:        %(echo '%{cpan_version}' | tr _ .)
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Create a module Makefile
 License:        GPL+ or Artistic
 Group:          Development/Libraries
@@ -20,6 +20,8 @@ Patch2:         %{cpan_name}-7.04-Unbundle-version.patch
 Patch3:         %{cpan_name}-7.00-Unbundle-Encode-Locale.patch
 # Provide maybe_command independently, bug #1129443
 Patch4:         
%{cpan_name}-7.11-Provide-ExtUtils-MM-methods-as-standalone-ExtUtils-M.patch
+# Avoid loading optional modules from default ., CVE-2016-1238
+Patch5:         
%{cpan_name}-7.22-CVE-2016-1238-avoid-loading-optional-modules-from.patch
 BuildArch:      noarch
 BuildRequires:  coreutils
 BuildRequires:  findutils
@@ -153,6 +155,7 @@ is an overkill for small subroutines.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 # Remove bundled modules
 rm -rf bundled
 sed -i -e '/^bundled\// d' MANIFEST
@@ -199,6 +202,9 @@ make test
 %{_mandir}/man3/ExtUtils::MM::Utils.*
 
 %changelog
+* Tue Aug 09 2016 Jitka Plesnikova <jples...@redhat.com> - 7.10-5
+- Avoid loading optional modules from default . (CVE-2016-1238)
+
 * Fri May 06 2016 Petr Pisar <ppi...@redhat.com> - 7.10-4
 - Provide maybe_command independently (bug #1129443)
 
-- 
cgit v0.12


        
http://pkgs.fedoraproject.org/cgit/perl-ExtUtils-MakeMaker.git/commit/?h=f24&id=fafd08c02eb8be62ce65ff0934755bf400511d19
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/perl-devel@lists.fedoraproject.org