You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
42 lines
1.3 KiB
42 lines
1.3 KiB
9 months ago
|
From 8cfc4916736280dd76655fdef5b78331bfac414d Mon Sep 17 00:00:00 2001
|
||
|
|
From: Tony Cook <tony@develop-help.com>
|
||
|
|
Date: Wed, 27 Jul 2016 14:04:59 +1000
|
||
|
|
Subject: [PATCH] CVE-2016-1238: prevent loading optional modules from default
|
||
|
|
.
|
||
|
|
|
||
|
|
Digest attempts to load Digest::SHA, only failing if Digest::SHA2
|
||
|
|
is also unavailable.
|
||
|
|
|
||
|
|
If a system has Digest installed, but not Digest::SHA, and a user
|
||
|
|
attempts to run a program using Digest with SHA-256 from a world
|
||
|
|
writable directory such as /tmp and since perl adds "." to the end
|
||
|
|
of @INC an attacker can run code as the original user by creating
|
||
|
|
/tmp/Digest/SHA.pm.
|
||
|
|
|
||
|
|
The change temporarily removes the default "." entry from the end of
|
||
|
|
@INC preventing that attack.
|
||
|
|
---
|
||
|
|
Digest.pm | 6 +++++-
|
||
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/Digest.pm b/Digest.pm
|
||
|
|
index 2ae6eec..c75649f 100644
|
||
|
|
--- a/Digest.pm
|
||
|
|
+++ b/Digest.pm
|
||
|
|
@@ -42,7 +42,11 @@ sub new
|
||
|
|
unless (exists ${"$class\::"}{"VERSION"}) {
|
||
|
|
my $pm_file = $class . ".pm";
|
||
|
|
$pm_file =~ s{::}{/}g;
|
||
|
|
- eval { require $pm_file };
|
||
|
|
+ eval {
|
||
|
|
+ local @INC = @INC;
|
||
|
|
+ pop @INC if $INC[-1] eq '.';
|
||
|
|
+ require $pm_file;
|
||
|
|
+ };
|
||
|
|
if ($@) {
|
||
|
|
$err ||= $@;
|
||
|
|
next;
|
||
|
|
--
|
||
|
|
2.1.4
|
||
|
|
|