CVS: cvs.openbsd.org: src

Andrew Fresh Mon, 25 Jul 2016 03:54:08 -0700

CVSROOT:        /cvs
Module name:    src
Changes by:     afre...@cvs.openbsd.org 2016/07/25 04:53:04


Modified files:
        gnu/usr.bin/perl: patchlevel.h 
        gnu/usr.bin/perl/cpan/Archive-Tar/bin: ptar ptardiff ptargrep 
        gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive: Tar.pm 
        gnu/usr.bin/perl/cpan/Archive-Tar/lib/Archive/Tar: Constant.pm 
                                                           File.pm 
        gnu/usr.bin/perl/cpan/CPAN/lib: CPAN.pm 
        gnu/usr.bin/perl/cpan/CPAN/lib/App: Cpan.pm 
        gnu/usr.bin/perl/cpan/CPAN/lib/CPAN: Author.pm Bundle.pm 
                                             CacheMgr.pm Complete.pm 
                                             Debug.pm DeferredCode.pm 
                                             Distribution.pm 
                                             Distroprefs.pm 
                                             Distrostatus.pm FTP.pm 
                                             FirstTime.pm 
                                             HandleConfig.pm Index.pm 
                                             InfoObj.pm Kwalify.pm 
                                             Mirrors.pm Module.pm Nox.pm 
                                             Prompt.pm Queue.pm Shell.pm 
                                             Tarzip.pm URL.pm Version.pm 
        gnu/usr.bin/perl/cpan/CPAN/lib/CPAN/Exception: 
                                                       RecursiveDependency.pm 
                                                       blocked_urllist.pm 
                                                       yaml_not_installed.pm 
                                                       yaml_process_error.pm 
        gnu/usr.bin/perl/cpan/CPAN/lib/CPAN/FTP: netrc.pm 
        gnu/usr.bin/perl/cpan/CPAN/lib/CPAN/HTTP: Client.pm 
                                                  Credentials.pm 
        gnu/usr.bin/perl/cpan/CPAN/lib/CPAN/LWP: UserAgent.pm 
        gnu/usr.bin/perl/cpan/CPAN/scripts: cpan 
        gnu/usr.bin/perl/cpan/Digest: Digest.pm 
        gnu/usr.bin/perl/cpan/Digest/Digest: base.pm file.pm 
        gnu/usr.bin/perl/cpan/Digest-SHA: shasum 
        gnu/usr.bin/perl/cpan/Digest-SHA/lib/Digest: SHA.pm 
        gnu/usr.bin/perl/cpan/Encode: Encode.pm 
        gnu/usr.bin/perl/cpan/Encode/Encode: _PM.e2x 
        gnu/usr.bin/perl/cpan/Encode/bin: enc2xs piconv ucmlint unidump 
        gnu/usr.bin/perl/cpan/ExtUtils-MakeMaker/bin: instmodsh 
        gnu/usr.bin/perl/cpan/ExtUtils-MakeMaker/lib/ExtUtils: 
                                                               Liblist.pm 
                                                               MM.pm 
                                                               MM_AIX.pm 
                                                               MM_Any.pm 
                                                               MM_BeOS.pm 
                                                               MM_Cygwin.pm 
                                                               MM_DOS.pm 
                                                               MM_Darwin.pm 
                                                               MM_MacOS.pm 
                                                               MM_NW5.pm 
                                                               MM_OS2.pm 
                                                               MM_QNX.pm 
                                                               MM_UWIN.pm 
                                                               MM_Unix.pm 
                                                               MM_VMS.pm 
                                                               MM_VOS.pm 
                                                               MM_Win32.pm 
                                                               MM_Win95.pm 
                                                               MY.pm 
                                                               MakeMaker.pm 
                                                               Mkbootstrap.pm 
                                                               Mksymlists.pm 
                                                               testlib.pm 
        gnu/usr.bin/perl/cpan/ExtUtils-MakeMaker/lib/ExtUtils/Command: 
                                                                       MM.pm 
        gnu/usr.bin/perl/cpan/ExtUtils-MakeMaker/lib/ExtUtils/Liblist: 
                                                                       Kid.pm 
        gnu/usr.bin/perl/cpan/ExtUtils-MakeMaker/lib/ExtUtils/MakeMaker: 
                                                                         
Config.pm 
                                                                         
FAQ.pod 
                                                                         
Tutorial.pod 
        gnu/usr.bin/perl/cpan/File-Fetch/lib/File: Fetch.pm 
        gnu/usr.bin/perl/cpan/HTTP-Tiny/lib/HTTP: Tiny.pm 
        gnu/usr.bin/perl/cpan/IO-Compress/bin: zipdetails 
        gnu/usr.bin/perl/cpan/IO-Compress/lib/Compress: Zlib.pm 
        gnu/usr.bin/perl/cpan/IO-Compress/lib/File: GlobMapper.pm 
        gnu/usr.bin/perl/cpan/IO-Compress/lib/IO/Compress: Base.pm 
                                                           Bzip2.pm 
                                                           Deflate.pm 
                                                           Gzip.pm 
                                                           RawDeflate.pm 
                                                           Zip.pm 
        gnu/usr.bin/perl/cpan/IO-Compress/lib/IO/Compress/Adapter: 
                                                                   Bzip2.pm 
                                                                   Deflate.pm 
                                                                   Identity.pm 
        gnu/usr.bin/perl/cpan/IO-Compress/lib/IO/Compress/Base: 
                                                                Common.pm 
        gnu/usr.bin/perl/cpan/IO-Compress/lib/IO/Compress/Gzip: 
                                                                Constants.pm 
        gnu/usr.bin/perl/cpan/IO-Compress/lib/IO/Compress/Zip: 
                                                               Constants.pm 
        gnu/usr.bin/perl/cpan/IO-Compress/lib/IO/Compress/Zlib: 
                                                                Constants.pm 
                                                                Extra.pm 
        gnu/usr.bin/perl/cpan/IO-Compress/lib/IO/Uncompress: 
                                                             AnyInflate.pm 
                                                             AnyUncompress.pm 
                                                             Base.pm 
                                                             Bunzip2.pm 
                                                             Gunzip.pm 
                                                             Inflate.pm 
                                                             RawInflate.pm 
                                                             Unzip.pm 
        gnu/usr.bin/perl/cpan/IO-Compress/lib/IO/Uncompress/Adapter: 
                                                                     Bunzip2.pm 
                                                                     
Identity.pm 
                                                                     Inflate.pm 
        gnu/usr.bin/perl/cpan/IO-Compress/private: MakeUtil.pm 
        gnu/usr.bin/perl/cpan/IPC-Cmd/lib/IPC: Cmd.pm 
        gnu/usr.bin/perl/cpan/JSON-PP/bin: json_pp 
        gnu/usr.bin/perl/cpan/JSON-PP/lib/JSON: PP.pm 
        gnu/usr.bin/perl/cpan/Locale-Maketext-Simple/lib/Locale/Maketext: 
                                                                          
Simple.pm 
        gnu/usr.bin/perl/cpan/Memoize: Memoize.pm 
        gnu/usr.bin/perl/cpan/Memoize/Memoize: AnyDBM_File.pm Expire.pm 
                                               ExpireFile.pm 
                                               ExpireTest.pm 
                                               NDBM_File.pm SDBM_File.pm 
                                               Storable.pm 
        gnu/usr.bin/perl/cpan/Pod-Perldoc/lib/Pod: Perldoc.pm 
        gnu/usr.bin/perl/cpan/Pod-Perldoc/lib/Pod/Perldoc: BaseTo.pm 
                                                           GetOptsOO.pm 
                                                           ToANSI.pm 
                                                           ToChecker.pm 
                                                           ToMan.pm 
                                                           ToNroff.pm 
                                                           ToPod.pm 
                                                           ToRtf.pm 
                                                           ToTerm.pm 
                                                           ToText.pm 
                                                           ToTk.pm 
                                                           ToXml.pm 
        gnu/usr.bin/perl/cpan/Sys-Syslog: Syslog.pm 
        gnu/usr.bin/perl/cpan/Test/lib: Test.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/bin: prove 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/App: Prove.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/App/Prove: State.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/App/Prove/State: 
                                                                Result.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/App/Prove/State/Result: 
                                                                       Test.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/TAP: Base.pm Harness.pm 
                                                    Object.pm Parser.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/TAP/Formatter: Base.pm 
                                                              Color.pm 
                                                              Console.pm 
                                                              File.pm 
                                                              Session.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/TAP/Formatter/Console: 
                                                                      
ParallelSession.pm 
                                                                      
Session.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/TAP/Formatter/File: 
                                                                   Session.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/TAP/Harness: Env.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/TAP/Parser: Aggregator.pm 
                                                           Grammar.pm 
                                                           Iterator.pm 
                                                           IteratorFactory.pm 
                                                           Multiplexer.pm 
                                                           Result.pm 
                                                           ResultFactory.pm 
                                                           Scheduler.pm 
                                                           Source.pm 
                                                           SourceHandler.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/TAP/Parser/Iterator: 
                                                                    Array.pm 
                                                                    Process.pm 
                                                                    Stream.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/TAP/Parser/Result: 
                                                                  Bailout.pm 
                                                                  Comment.pm 
                                                                  Plan.pm 
                                                                  Pragma.pm 
                                                                  Test.pm 
                                                                  Unknown.pm 
                                                                  Version.pm 
                                                                  YAML.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/TAP/Parser/Scheduler: 
                                                                     Job.pm 
                                                                     Spinner.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/TAP/Parser/SourceHandler: 
                                                                         
Executable.pm 
                                                                         
File.pm 
                                                                         
Handle.pm 
                                                                         
Perl.pm 
                                                                         
RawTAP.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/TAP/Parser/YAMLish: 
                                                                   Reader.pm 
                                                                   Writer.pm 
        gnu/usr.bin/perl/cpan/Test-Harness/lib/Test: Harness.pm 
        gnu/usr.bin/perl/cpan/libnet/Net: Cmd.pm Config.pm Domain.pm 
                                          FTP.pm NNTP.pm Netrc.pm 
                                          POP3.pm SMTP.pm Time.pm 
        gnu/usr.bin/perl/cpan/libnet/Net/FTP: A.pm E.pm I.pm L.pm 
                                              dataconn.pm 
        gnu/usr.bin/perl/dist/ExtUtils-Command/lib/ExtUtils: Command.pm 
        gnu/usr.bin/perl/dist/ExtUtils-ParseXS/lib/ExtUtils: ParseXS.pm 
                                                             Typemaps.pm 
                                                             xsubpp 
        gnu/usr.bin/perl/dist/ExtUtils-ParseXS/lib/ExtUtils/ParseXS: 
                                                                     
Constants.pm 
                                                                     
CountLines.pm 
                                                                     Eval.pm 
                                                                     
Utilities.pm 
        gnu/usr.bin/perl/dist/ExtUtils-ParseXS/lib/ExtUtils/Typemaps: 
                                                                      Cmd.pm 
                                                                      
InputMap.pm 
                                                                      
OutputMap.pm 
                                                                      Type.pm 
        gnu/usr.bin/perl/dist/I18N-LangTags/lib/I18N: LangTags.pm 
        gnu/usr.bin/perl/dist/I18N-LangTags/lib/I18N/LangTags: Detect.pm 
                                                               List.pm 
        gnu/usr.bin/perl/dist/IO: IO.pm 
        gnu/usr.bin/perl/dist/IO/lib/IO: Dir.pm File.pm Handle.pm 
                                         Pipe.pm Poll.pm Seekable.pm 
                                         Select.pm Socket.pm 
        gnu/usr.bin/perl/dist/IO/lib/IO/Socket: INET.pm UNIX.pm 
        gnu/usr.bin/perl/dist/Locale-Maketext/lib/Locale: Maketext.pm 
        gnu/usr.bin/perl/dist/Locale-Maketext/lib/Locale/Maketext: 
                                                                   Guts.pm 
                                                                   
GutsLoader.pm 
        gnu/usr.bin/perl/dist/Module-CoreList: corelist 
        gnu/usr.bin/perl/dist/Module-CoreList/lib/Module: CoreList.pm 
        gnu/usr.bin/perl/dist/Module-CoreList/lib/Module/CoreList: 
                                                                   
TieHashDelta.pm 
                                                                   Utils.pm 
        gnu/usr.bin/perl/dist/Net-Ping/lib/Net: Ping.pm 
        gnu/usr.bin/perl/dist/PathTools: Cwd.pm 
        gnu/usr.bin/perl/dist/PathTools/lib/File: Spec.pm 
        gnu/usr.bin/perl/dist/PathTools/lib/File/Spec: Cygwin.pm Epoc.pm 
                                                       Functions.pm 
                                                       Mac.pm OS2.pm 
                                                       Unix.pm VMS.pm 
                                                       Win32.pm 
        gnu/usr.bin/perl/dist/Storable: Storable.pm 
        gnu/usr.bin/perl/dist/base/lib: base.pm fields.pm 
        gnu/usr.bin/perl/dist/bignum/lib: bigint.pm bignum.pm bigrat.pm 
        gnu/usr.bin/perl/dist/bignum/lib/Math/BigFloat: Trace.pm 
        gnu/usr.bin/perl/dist/bignum/lib/Math/BigInt: Trace.pm 
        gnu/usr.bin/perl/ext/Pod-Html/bin: pod2html 
        gnu/usr.bin/perl/ext/Pod-Html/lib/Pod: Html.pm 
        gnu/usr.bin/perl/lib: perl5db.pl 
        gnu/usr.bin/perl/t/porting: customized.dat 
        gnu/usr.bin/perl/utils: c2ph.PL h2ph.PL h2xs.PL libnetcfg.PL 
                                perlbug.PL perldoc.PL perlivp.PL 
                                splain.PL 
        gnu/usr.bin/perl/x2p: find2perl.PL s2p.PL 

Log message:
Patch perl CVE-2016-1238

The problem relates to Perl 5 ("perl") loading modules from the
includes directory array ("@INC") in which the last element is the
current directory (".").  That means that, when "perl" wants to
load a module (during first compilation or during lazy loading of
a module in run-time), perl will look for the module in the current
directory at the end, since '.' is the last include directory in
its array of include directories to seek. The issue is with requiring
libraries that are in "." but are not otherwise installed.

The major problem with this behavior is that it unexpectedly puts
a user at risk whenever they execute any Perl scripts from a directory
that is writable by other accounts on the system. For instance, if
a user is logged in as root and changes directory into /tmp or an
account's home directory, it is possible to now run any shell
commands that are written in C, Python or Ruby without fear.

The same isn't true for any shell commands that are written in Perl,
since a significant proportion of Perl scripts will execute code
in the current working directory whenever they are run. For example,
if a user on a shared system creates the file /tmp/Pod/Perldoc/Toterm.pm,
and then I log in as root, change directory to /tmp, and run "perldoc
perlrun", it will execute the code they have placed in the file.

ok deraadt@

CVS: cvs.openbsd.org: src

Reply via email to