jplesnik pushed to perl-ExtUtils-MakeMaker (f23). "Avoid loading optional modules from default . (CVE-2016-1238)"

notifications Tue, 09 Aug 2016 04:44:34 -0700

From 793e94a60d04059f339cac006c465a2d0ee5d2d7 Mon Sep 17 00:00:00 2001
From: Jitka Plesnikova <jples...@redhat.com>
Date: Tue, 9 Aug 2016 13:44:08 +0200
Subject: Avoid loading optional modules from default . (CVE-2016-1238)


---
 ....22-CVE-2016-1238-avoid-loading-optional-modules-from.patch | 10 ++++++++++
 perl-ExtUtils-MakeMaker.spec                                   |  8 +++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 
ExtUtils-MakeMaker-7.22-CVE-2016-1238-avoid-loading-optional-modules-from.patch

diff --git 
a/ExtUtils-MakeMaker-7.22-CVE-2016-1238-avoid-loading-optional-modules-from.patch
 
b/ExtUtils-MakeMaker-7.22-CVE-2016-1238-avoid-loading-optional-modules-from.patch
new file mode 100644
index 0000000..40562cb
--- /dev/null
+++ 
b/ExtUtils-MakeMaker-7.22-CVE-2016-1238-avoid-loading-optional-modules-from.patch
@@ -0,0 +1,10 @@
+diff -up ExtUtils-MakeMaker-7.04/bin/instmodsh.orig 
ExtUtils-MakeMaker-7.04/bin/instmodsh
+--- ExtUtils-MakeMaker-7.04/bin/instmodsh.orig 2016-08-09 13:35:42.181380825 
+0200
++++ ExtUtils-MakeMaker-7.04/bin/instmodsh      2016-08-09 13:36:20.148204898 
+0200
+@@ -1,5 +1,6 @@
+ #!/usr/bin/perl -w
+ 
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use IO::File;
+ use ExtUtils::Packlist;
diff --git a/perl-ExtUtils-MakeMaker.spec b/perl-ExtUtils-MakeMaker.spec
index 7afd4f7..54a894a 100644
--- a/perl-ExtUtils-MakeMaker.spec
+++ b/perl-ExtUtils-MakeMaker.spec
@@ -3,7 +3,7 @@
 
 Name:           perl-%{cpan_name}
 Version:        %(echo '%{cpan_version}' | tr _ .)
-Release:        348%{?dist}
+Release:        349%{?dist}
 Summary:        Create a module Makefile
 License:        GPL+ or Artistic
 Group:          Development/Libraries
@@ -22,6 +22,8 @@ Patch3:         
ExtUtils-MakeMaker-7.00-Unbundle-Encode-Locale.patch
 Patch4:         
ExtUtils-MakeMaker-7.02-Write-UTF-8-encoded-chunk-if-Locale-Encode-is-not-av.patch
 # Provide maybe_command independently, bug #1129443
 Patch5:         
%{cpan_name}-7.11-Provide-ExtUtils-MM-methods-as-standalone-ExtUtils-M.patch
+# Avoid loading optional modules from default ., CVE-2016-1238
+Patch6:         
%{cpan_name}-7.22-CVE-2016-1238-avoid-loading-optional-modules-from.patch
 BuildArch:      noarch
 BuildRequires:  perl
 # Makefile.Pl uses ExtUtils::MakeMaker from ./lib
@@ -129,6 +131,7 @@ is an overkill for small subroutines.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 # Remove bundled modules
 rm -rf bundled
 sed -i -e '/^bundled\// d' MANIFEST
@@ -169,6 +172,9 @@ make test
 %{_mandir}/man3/ExtUtils::MM::Utils.*
 
 %changelog
+* Tue Aug 09 2016 Jitka Plesnikova <jples...@redhat.com> - 7.04-349
+- Avoid loading optional modules from default . (CVE-2016-1238)
+
 * Fri May 06 2016 Petr Pisar <ppi...@redhat.com> - 7.04-348
 - Provide maybe_command independently (bug #1129443)
 
-- 
cgit v0.12


        
http://pkgs.fedoraproject.org/cgit/perl-ExtUtils-MakeMaker.git/commit/?h=f23&id=793e94a60d04059f339cac006c465a2d0ee5d2d7
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/perl-devel@lists.fedoraproject.org

jplesnik pushed to perl-ExtUtils-MakeMaker (f23). "Avoid loading optional modules from default . (CVE-2016-1238)"

Reply via email to