From feec61d87aec7ac8f393c3c44656a7d77a0823eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> Date: Wed, 12 Oct 2016 15:02:54 +0200 Subject: Fix CVE-2016-1238 (loading optional modules from current working directory)
This also applies remains of CVE-2016-1238 fix from perl sources and it fixes different logic for locating file from -j argument as provided by Perl porters. --- ...38-don-t-load-optional-modules-from-defau.patch | 82 ++++++++++++++++++++++ CPAN-2.14-Fix-CVE-2016-1238-completely.patch | 63 +++++++++++++++++ ...For-cpan-j-make-the-file-an-absolute-path.patch | 52 ++++++++++++++ perl-CPAN.spec | 18 ++++- 4 files changed, 214 insertions(+), 1 deletion(-) create mode 100644 CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch create mode 100644 CPAN-2.14-Fix-CVE-2016-1238-completely.patch create mode 100644 CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch diff --git a/CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch b/CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch new file mode 100644 index 0000000..2991056 --- /dev/null +++ b/CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch @@ -0,0 +1,82 @@ +From 394ac06dc5e9e94a81c39c43135d1635f516422e Mon Sep 17 00:00:00 2001 +From: Tony Cook <t...@develop-help.com> +Date: Wed, 27 Jul 2016 12:14:13 +1000 +Subject: [PATCH] CVE-2016-1238: don't load optional modules from default . +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +App::Cpan attempts to load several optional modules, which an attacker +can use if cpan is run from a directory writable by other users, such +as /tmp. + +Signed-off-by: Petr Písař <ppi...@redhat.com> +--- + lib/App/Cpan.pm | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm +index f43dea9..c654c2c 100644 +--- a/lib/App/Cpan.pm ++++ b/lib/App/Cpan.pm +@@ -549,9 +549,20 @@ sub AUTOLOAD { 1 } + sub DESTROY { 1 } + } + ++# load a module without searching the default entry for the current ++# directory ++sub _safe_load_module { ++ my $name = shift; ++ ++ local @INC = @INC; ++ pop @INC if $INC[-1] eq '.'; ++ ++ eval "require $name; 1"; ++} ++ + sub _init_logger + { +- my $log4perl_loaded = eval "require Log::Log4perl; 1"; ++ my $log4perl_loaded = _safe_load_module("Log::Log4perl"); + + unless( $log4perl_loaded ) + { +@@ -1020,7 +1031,7 @@ sub _load_local_lib # -I + { + $logger->debug( "Loading local::lib" ); + +- my $rc = eval { require local::lib; 1; }; ++ my $rc = _safe_load_module("local::lib"); + unless( $rc ) { + $logger->die( "Could not load local::lib" ); + } +@@ -1160,7 +1171,7 @@ sub _get_file + { + my $path = shift; + +- my $loaded = eval "require LWP::Simple; 1;"; ++ my $loaded = _safe_load_module("LWP::Simple"); + croak "You need LWP::Simple to use features that fetch files from CPAN\n" + unless $loaded; + +@@ -1182,7 +1193,7 @@ sub _gitify + { + my $args = shift; + +- my $loaded = eval "require Archive::Extract; 1;"; ++ my $loaded = _safe_load_module("Archive::Extract"); + croak "You need Archive::Extract to use features that gitify distributions\n" + unless $loaded; + +@@ -1245,7 +1256,7 @@ sub _show_Changes + sub _get_changes_file + { + croak "Reading Changes files requires LWP::Simple and URI\n" +- unless eval "require LWP::Simple; require URI; 1"; ++ unless _safe_load_module("LWP::Simple") && _safe_load_module("URI"); + + my $url = shift; + +-- +2.7.4 + diff --git a/CPAN-2.14-Fix-CVE-2016-1238-completely.patch b/CPAN-2.14-Fix-CVE-2016-1238-completely.patch new file mode 100644 index 0000000..f5ac162 --- /dev/null +++ b/CPAN-2.14-Fix-CVE-2016-1238-completely.patch @@ -0,0 +1,63 @@ +From 705b9f68906d584e2d0bf9c2fd634778f1ba9b35 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> +Date: Tue, 18 Oct 2016 14:35:09 +0200 +Subject: [PATCH] Fix CVE-2016-1238 completely +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +These are remains ported from perl-v5.24.1-RC4 commit: + +commit 5f66e9fffdc3d0c6e0846cd1f11298e70c786c30 +Author: Tony Cook <t...@develop-help.com> +Date: Tue Jun 21 10:02:02 2016 +1000 + + (perl #127834) remove . from the end of @INC if complex modules are loaded + + While currently Encode and Storable are know to attempt to load modules + not included in the core, updates to other modules may lead to those + also attempting to load new modules, so be safe and remove . for those + as well. + +Signed-off-by: Petr Písař <ppi...@redhat.com> +--- + lib/CPAN.pm | 4 ++++ + scripts/cpan | 1 + + 2 files changed, 5 insertions(+) + +diff --git a/lib/CPAN.pm b/lib/CPAN.pm +index 69cc7b8..ae66eaf 100644 +--- a/lib/CPAN.pm ++++ b/lib/CPAN.pm +@@ -1128,6 +1128,8 @@ sub has_usable { + ] + }; + if ($usable->{$mod}) { ++ local @INC = @INC; ++ pop @INC if $INC[-1] eq '.'; + for my $c (0..$#{$usable->{$mod}}) { + my $code = $usable->{$mod}[$c]; + my $ret = eval { &$code() }; +@@ -1170,6 +1172,8 @@ sub has_inst { + $CPAN::META->{dontload_hash}{$mod}||=1; # unsafe meta access, ok + return 0; + } ++ local @INC = @INC; ++ pop @INC if $INC[-1] eq '.'; + my $file = $mod; + my $obj; + $file =~ s|::|/|g; +diff --git a/scripts/cpan b/scripts/cpan +index 5555090..cceab30 100644 +--- a/scripts/cpan ++++ b/scripts/cpan +@@ -1,5 +1,6 @@ + #!/usr/local/bin/perl + ++BEGIN { pop @INC if $INC[-1] eq '.' } + use strict; + use vars qw($VERSION); + +-- +2.7.4 + diff --git a/CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch b/CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch new file mode 100644 index 0000000..c8fc0ee --- /dev/null +++ b/CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch @@ -0,0 +1,52 @@ +From 8b3473d00f9490f8ee07425ef44b23c6f72a8938 Mon Sep 17 00:00:00 2001 +From: brian d foy <brian.d....@gmail.com> +Date: Tue, 18 Oct 2016 16:02:51 -0400 +Subject: [PATCH] For cpan -j, make the file an absolute path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is an additional fix for rt.cpan.org #116507. +Since . will not be in @INC, we can't assume we are +loading from the current directory (although that's +a very likely situation for -j). Take whatever +argument we get and expand it to an absolute path. + +Signed-off-by: Petr Písař <ppi...@redhat.com> +--- + lib/App/Cpan.pm | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm +index 6561bd4..a9e73cd 100644 +--- a/lib/App/Cpan.pm ++++ b/lib/App/Cpan.pm +@@ -291,7 +291,7 @@ use CPAN 1.80 (); # needs no test + use Config; + use autouse Cwd => qw(cwd); + use autouse 'Data::Dumper' => qw(Dumper); +-use File::Spec::Functions; ++use File::Spec::Functions qw(catfile file_name_is_absolute rel2abs); + use File::Basename; + use Getopt::Std; + +@@ -1095,12 +1095,14 @@ sub _shell + + sub _load_config # -j + { +- my $file = shift || ''; ++ my $argument = shift; ++ ++ my $file = file_name_is_absolute( $argument ) ? $argument : rel2abs( $argument ); ++ croak( "cpan config file [$file] for -j does not exist!\n" ) unless -e $file; + + # should I clear out any existing config here? + $CPAN::Config = {}; + delete $INC{'CPAN/Config.pm'}; +- croak( "Config file [$file] does not exist!\n" ) unless -e $file; + + my $rc = eval "require '$file'"; + +-- +2.7.4 + diff --git a/perl-CPAN.spec b/perl-CPAN.spec index 75aebbc..85784a0 100644 --- a/perl-CPAN.spec +++ b/perl-CPAN.spec @@ -2,7 +2,7 @@ Name: perl-CPAN Version: 2.11 -Release: 349%{?dist} +Release: 350%{?dist} Summary: Query, download and build perl modules from CPAN sites License: GPL+ or Artistic Group: Development/Libraries @@ -14,6 +14,15 @@ Patch0: CPAN-2.10-Upgrade-to-2.11.patch Patch1: CPAN-2.11-Attemp-to-create-site-library-directories-on-first-t.patch # Change configuration directory name Patch2: CPAN-2.11-Replace-configuration-directory-string-with-a-marke.patch +# Fix CVE-2016-1238 (loading optional modules from current working directory), +# CPAN RT#116507, fixed after 2.14 +Patch3: CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch +# Fix CVE-2016-1238 completely, CPAN RT#116507 +Patch4: CPAN-2.14-Fix-CVE-2016-1238-completely.patch +# Do not search cpan -j file in @INC, required for +# Fix-CVE-2016-1238-completely.patch, CPAN RT#116507, proposed in +# <https://github.com/andk/cpanpm/pull/105> +Patch5: CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch BuildArch: noarch BuildRequires: coreutils BuildRequires: findutils @@ -187,6 +196,9 @@ external download clients to fetch distributions from the net. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 # Change configuration name find -type f -exec sed -i -e 's/XCPANCONFIGNAMEX/cpan/g' {} \; # Remove bundled modules @@ -213,6 +225,10 @@ make test %{_mandir}/man3/* %changelog +* Mon Jan 09 2017 Petr Pisar <ppi...@redhat.com> - 2.11-350 +- Fix CVE-2016-1238 (loading optional modules from current working directory) +- Do not search cpan -j file in @INC (CPAN RT#116507) + * Thu Feb 04 2016 Fedora Release Engineering <rel...@fedoraproject.org> - 2.11-349 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild -- cgit v0.12 http://pkgs.fedoraproject.org/cgit/perl-CPAN.git/commit/?h=f24&id=feec61d87aec7ac8f393c3c44656a7d77a0823eb _______________________________________________ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org