From df7a613c62b790af8062a933e4561badee2394e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
Date: Wed, 12 Oct 2016 17:10:18 +0200
Subject: Fix CVE-2016-1238 properly
---
CPAN-2.14-Fix-CVE-2016-1238-properly.patch | 45 ++++++++++++++++++++++++++++++
perl-CPAN.spec | 8 +++++-
2 files changed, 52 insertions(+), 1 deletion(-)
create mode 100644 CPAN-2.14-Fix-CVE-2016-1238-properly.patch
diff --git a/CPAN-2.14-Fix-CVE-2016-1238-properly.patch
b/CPAN-2.14-Fix-CVE-2016-1238-properly.patch
new file mode 100644
index 0000000..bc5100c
--- /dev/null
+++ b/CPAN-2.14-Fix-CVE-2016-1238-properly.patch
@@ -0,0 +1,45 @@
+From 9b0b275d923418306cb3c45bb380bd9dcc71476c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
+Date: Wed, 12 Oct 2016 16:56:41 +0200
+Subject: [PATCH] Fix CVE-2016-1238 properly
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Removing "." from @INC does not work because CPAN module translates
+all relative paths into absolute paths. Check for $INC[-1] eq '.'
+sooner.
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ lib/App/Cpan.pm | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
+index c654c2c..ce7afe5 100644
+--- a/lib/App/Cpan.pm
++++ b/lib/App/Cpan.pm
+@@ -1,5 +1,11 @@
+ package App::Cpan;
+
++# CPAN module translantes @INC, CPAN RT#116507
++my $last_inc_is_dot;
++BEGIN {
++ $last_inc_is_dot = $INC[-1] eq '.';
++}
++
+ use strict;
+ use warnings;
+ use vars qw($VERSION);
+@@ -555,7 +561,7 @@ sub _safe_load_module {
+ my $name = shift;
+
+ local @INC = @INC;
+- pop @INC if $INC[-1] eq '.';
++ pop @INC if $last_inc_is_dot;
+
+ eval "require $name; 1";
+ }
+--
+2.7.4
+
diff --git a/perl-CPAN.spec b/perl-CPAN.spec
index 6724388..05cc4a7 100644
--- a/perl-CPAN.spec
+++ b/perl-CPAN.spec
@@ -1,6 +1,6 @@
Name: perl-CPAN
Version: 2.14
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Query, download and build perl modules from CPAN sites
License: GPL+ or Artistic
Group: Development/Libraries
@@ -26,6 +26,8 @@ Patch6:
CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.p
Patch7:
CPAN-2.14-Bugfix-47934-version-requirement-with-was-ignored.patch
# Cope with non-digit version strings, fixed after 2.14
Patch8: CPAN-2.14-accepts_module-must-be-protected-with-an-eval.patch
+# Fix CVE-2016-1238 properly, CPAN RT#116507
+Patch9: CPAN-2.14-Fix-CVE-2016-1238-properly.patch
BuildArch: noarch
BuildRequires: coreutils
BuildRequires: findutils
@@ -210,6 +212,7 @@ external download clients to fetch distributions from the
net.
%patch6 -p1
%patch7 -p1
%patch8 -p1
+%patch9 -p1
# Change configuration name
find -type f -exec sed -i -e 's/XCPANCONFIGNAMEX/cpan/g' {} \;
# Remove bundled modules
@@ -236,6 +239,9 @@ make test
%{_mandir}/man3/*
%changelog
+* Wed Oct 12 2016 Petr Pisar <ppi...@redhat.com> - 2.14-2
+- Fix CVE-2016-1238 properly (CPAN RT#116507)
+
* Mon Jun 27 2016 Petr Pisar <ppi...@redhat.com> - 2.14-1
- 2.14 bump
- Fix installation from a working directory (CPAN RT#115734)
--
cgit v0.12
http://pkgs.fedoraproject.org/cgit/perl-CPAN.git/commit/?h=master&id=df7a613c62b790af8062a933e4561badee2394e5
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
