From feec61d87aec7ac8f393c3c44656a7d77a0823eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
Date: Wed, 12 Oct 2016 15:02:54 +0200
Subject: Fix CVE-2016-1238 (loading optional modules from current working
directory)
This also applies remains of CVE-2016-1238 fix from perl sources and
it fixes different logic for locating file from -j argument as
provided by Perl porters.
---
...38-don-t-load-optional-modules-from-defau.patch | 82 ++++++++++++++++++++++
CPAN-2.14-Fix-CVE-2016-1238-completely.patch | 63 +++++++++++++++++
...For-cpan-j-make-the-file-an-absolute-path.patch | 52 ++++++++++++++
perl-CPAN.spec | 18 ++++-
4 files changed, 214 insertions(+), 1 deletion(-)
create mode 100644
CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch
create mode 100644 CPAN-2.14-Fix-CVE-2016-1238-completely.patch
create mode 100644 CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch
diff --git
a/CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch
b/CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch
new file mode 100644
index 0000000..2991056
--- /dev/null
+++ b/CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch
@@ -0,0 +1,82 @@
+From 394ac06dc5e9e94a81c39c43135d1635f516422e Mon Sep 17 00:00:00 2001
+From: Tony Cook <t...@develop-help.com>
+Date: Wed, 27 Jul 2016 12:14:13 +1000
+Subject: [PATCH] CVE-2016-1238: don't load optional modules from default .
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+App::Cpan attempts to load several optional modules, which an attacker
+can use if cpan is run from a directory writable by other users, such
+as /tmp.
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ lib/App/Cpan.pm | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
+index f43dea9..c654c2c 100644
+--- a/lib/App/Cpan.pm
++++ b/lib/App/Cpan.pm
+@@ -549,9 +549,20 @@ sub AUTOLOAD { 1 }
+ sub DESTROY { 1 }
+ }
+
++# load a module without searching the default entry for the current
++# directory
++sub _safe_load_module {
++ my $name = shift;
++
++ local @INC = @INC;
++ pop @INC if $INC[-1] eq '.';
++
++ eval "require $name; 1";
++}
++
+ sub _init_logger
+ {
+- my $log4perl_loaded = eval "require Log::Log4perl; 1";
++ my $log4perl_loaded = _safe_load_module("Log::Log4perl");
+
+ unless( $log4perl_loaded )
+ {
+@@ -1020,7 +1031,7 @@ sub _load_local_lib # -I
+ {
+ $logger->debug( "Loading local::lib" );
+
+- my $rc = eval { require local::lib; 1; };
++ my $rc = _safe_load_module("local::lib");
+ unless( $rc ) {
+ $logger->die( "Could not load local::lib" );
+ }
+@@ -1160,7 +1171,7 @@ sub _get_file
+ {
+ my $path = shift;
+
+- my $loaded = eval "require LWP::Simple; 1;";
++ my $loaded = _safe_load_module("LWP::Simple");
+ croak "You need LWP::Simple to use features that fetch files from
CPAN\n"
+ unless $loaded;
+
+@@ -1182,7 +1193,7 @@ sub _gitify
+ {
+ my $args = shift;
+
+- my $loaded = eval "require Archive::Extract; 1;";
++ my $loaded = _safe_load_module("Archive::Extract");
+ croak "You need Archive::Extract to use features that gitify
distributions\n"
+ unless $loaded;
+
+@@ -1245,7 +1256,7 @@ sub _show_Changes
+ sub _get_changes_file
+ {
+ croak "Reading Changes files requires LWP::Simple and URI\n"
+- unless eval "require LWP::Simple; require URI; 1";
++ unless _safe_load_module("LWP::Simple") &&
_safe_load_module("URI");
+
+ my $url = shift;
+
+--
+2.7.4
+
diff --git a/CPAN-2.14-Fix-CVE-2016-1238-completely.patch
b/CPAN-2.14-Fix-CVE-2016-1238-completely.patch
new file mode 100644
index 0000000..f5ac162
--- /dev/null
+++ b/CPAN-2.14-Fix-CVE-2016-1238-completely.patch
@@ -0,0 +1,63 @@
+From 705b9f68906d584e2d0bf9c2fd634778f1ba9b35 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
+Date: Tue, 18 Oct 2016 14:35:09 +0200
+Subject: [PATCH] Fix CVE-2016-1238 completely
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+These are remains ported from perl-v5.24.1-RC4 commit:
+
+commit 5f66e9fffdc3d0c6e0846cd1f11298e70c786c30
+Author: Tony Cook <t...@develop-help.com>
+Date: Tue Jun 21 10:02:02 2016 +1000
+
+ (perl #127834) remove . from the end of @INC if complex modules are loaded
+
+ While currently Encode and Storable are know to attempt to load modules
+ not included in the core, updates to other modules may lead to those
+ also attempting to load new modules, so be safe and remove . for those
+ as well.
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ lib/CPAN.pm | 4 ++++
+ scripts/cpan | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/lib/CPAN.pm b/lib/CPAN.pm
+index 69cc7b8..ae66eaf 100644
+--- a/lib/CPAN.pm
++++ b/lib/CPAN.pm
+@@ -1128,6 +1128,8 @@ sub has_usable {
+ ]
+ };
+ if ($usable->{$mod}) {
++ local @INC = @INC;
++ pop @INC if $INC[-1] eq '.';
+ for my $c (0..$#{$usable->{$mod}}) {
+ my $code = $usable->{$mod}[$c];
+ my $ret = eval { &$code() };
+@@ -1170,6 +1172,8 @@ sub has_inst {
+ $CPAN::META->{dontload_hash}{$mod}||=1; # unsafe meta access, ok
+ return 0;
+ }
++ local @INC = @INC;
++ pop @INC if $INC[-1] eq '.';
+ my $file = $mod;
+ my $obj;
+ $file =~ s|::|/|g;
+diff --git a/scripts/cpan b/scripts/cpan
+index 5555090..cceab30 100644
+--- a/scripts/cpan
++++ b/scripts/cpan
+@@ -1,5 +1,6 @@
+ #!/usr/local/bin/perl
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use vars qw($VERSION);
+
+--
+2.7.4
+
diff --git a/CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch
b/CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch
new file mode 100644
index 0000000..c8fc0ee
--- /dev/null
+++ b/CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch
@@ -0,0 +1,52 @@
+From 8b3473d00f9490f8ee07425ef44b23c6f72a8938 Mon Sep 17 00:00:00 2001
+From: brian d foy <brian.d....@gmail.com>
+Date: Tue, 18 Oct 2016 16:02:51 -0400
+Subject: [PATCH] For cpan -j, make the file an absolute path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is an additional fix for rt.cpan.org #116507.
+Since . will not be in @INC, we can't assume we are
+loading from the current directory (although that's
+a very likely situation for -j). Take whatever
+argument we get and expand it to an absolute path.
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ lib/App/Cpan.pm | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
+index 6561bd4..a9e73cd 100644
+--- a/lib/App/Cpan.pm
++++ b/lib/App/Cpan.pm
+@@ -291,7 +291,7 @@ use CPAN 1.80 (); # needs no test
+ use Config;
+ use autouse Cwd => qw(cwd);
+ use autouse 'Data::Dumper' => qw(Dumper);
+-use File::Spec::Functions;
++use File::Spec::Functions qw(catfile file_name_is_absolute rel2abs);
+ use File::Basename;
+ use Getopt::Std;
+
+@@ -1095,12 +1095,14 @@ sub _shell
+
+ sub _load_config # -j
+ {
+- my $file = shift || '';
++ my $argument = shift;
++
++ my $file = file_name_is_absolute( $argument ) ? $argument : rel2abs(
$argument );
++ croak( "cpan config file [$file] for -j does not exist!\n" ) unless -e
$file;
+
+ # should I clear out any existing config here?
+ $CPAN::Config = {};
+ delete $INC{'CPAN/Config.pm'};
+- croak( "Config file [$file] does not exist!\n" ) unless -e $file;
+
+ my $rc = eval "require '$file'";
+
+--
+2.7.4
+
diff --git a/perl-CPAN.spec b/perl-CPAN.spec
index 75aebbc..85784a0 100644
--- a/perl-CPAN.spec
+++ b/perl-CPAN.spec
@@ -2,7 +2,7 @@
Name: perl-CPAN
Version: 2.11
-Release: 349%{?dist}
+Release: 350%{?dist}
Summary: Query, download and build perl modules from CPAN sites
License: GPL+ or Artistic
Group: Development/Libraries
@@ -14,6 +14,15 @@ Patch0: CPAN-2.10-Upgrade-to-2.11.patch
Patch1:
CPAN-2.11-Attemp-to-create-site-library-directories-on-first-t.patch
# Change configuration directory name
Patch2:
CPAN-2.11-Replace-configuration-directory-string-with-a-marke.patch
+# Fix CVE-2016-1238 (loading optional modules from current working directory),
+# CPAN RT#116507, fixed after 2.14
+Patch3:
CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch
+# Fix CVE-2016-1238 completely, CPAN RT#116507
+Patch4: CPAN-2.14-Fix-CVE-2016-1238-completely.patch
+# Do not search cpan -j file in @INC, required for
+# Fix-CVE-2016-1238-completely.patch, CPAN RT#116507, proposed in
+# <https://github.com/andk/cpanpm/pull/105>
+Patch5: CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch
BuildArch: noarch
BuildRequires: coreutils
BuildRequires: findutils
@@ -187,6 +196,9 @@ external download clients to fetch distributions from the
net.
%patch0 -p1
%patch1 -p1
%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
# Change configuration name
find -type f -exec sed -i -e 's/XCPANCONFIGNAMEX/cpan/g' {} \;
# Remove bundled modules
@@ -213,6 +225,10 @@ make test
%{_mandir}/man3/*
%changelog
+* Mon Jan 09 2017 Petr Pisar <ppi...@redhat.com> - 2.11-350
+- Fix CVE-2016-1238 (loading optional modules from current working directory)
+- Do not search cpan -j file in @INC (CPAN RT#116507)
+
* Thu Feb 04 2016 Fedora Release Engineering <rel...@fedoraproject.org> -
2.11-349
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
--
cgit v0.12
http://pkgs.fedoraproject.org/cgit/perl-CPAN.git/commit/?h=f24&id=feec61d87aec7ac8f393c3c44656a7d77a0823eb
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
