Skip Menu |
 

This queue is for tickets about the Encode CPAN distribution.

Report information
The Basics
Id: 116514
Status: resolved
Priority: 0/
Queue: Encode

People
Owner: Nobody in particular
Requestors: TONYC [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: 2.85

Attachments
0001-CVE-2016-1238-avoid-loading-optional-modules-from.patch



Subject: CVE-2016-1238: Encode may load Encode::ConfigLocal from the current directory
Download (untitled) / with headers
text/plain 415b
Without this change, and process that uses Encode started with a current directory that's world writable (such as /tmp) and if there's no global Encode::ConfigLocal, can be attacked by another user by creating /tmp/Encode/ConfigLocal.pm This also includes changes to the tools, it's possible they are unnecessary, but I chose to be cautious. Also available as: https://github.com/dankogai/p5-encode/pull/58 Tony
Subject: 0001-CVE-2016-1238-avoid-loading-optional-modules-from.patch
From 12be15d64ce089154c4367dc1842cd0dc0993ec6 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Wed, 27 Jul 2016 14:52:40 +1000 Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from . The change to Encode.pm is the most critical part of this patch. Without this change, and process that uses Encode started with a current directory that's world writable (such as /tmp) and if there's no global Encode::ConfigLocal, can be attacked by another user by creating /tmp/Encode/ConfigLocal.pm It's possible most of the tools changed here do not need to be updated, but I chose a conservative path. --- Encode.pm | 2 ++ bin/enc2xs | 1 + bin/encguess | 1 + bin/piconv | 1 + bin/ucmlint | 1 + bin/unidump | 1 + 6 files changed, 7 insertions(+) diff --git a/Encode.pm b/Encode.pm index d88fe95..3923733 100644 --- a/Encode.pm +++ b/Encode.pm @@ -56,6 +56,8 @@ require Encode::Config; eval { local $SIG{__DIE__}; local $SIG{__WARN__}; + local @INC = @INC; + pop @INC if $INC[-1] eq '.'; require Encode::ConfigLocal; }; diff --git a/bin/enc2xs b/bin/enc2xs index ec4732c..f8d9f52 100755 --- a/bin/enc2xs +++ b/bin/enc2xs @@ -4,6 +4,7 @@ BEGIN { # with $ENV{PERL_CORE} set # In case we need it in future... require Config; import Config; + pop @INC if $INC[-1] eq '.'; } use strict; use warnings; diff --git a/bin/encguess b/bin/encguess index 5d7ac80..0be5c7c 100755 --- a/bin/encguess +++ b/bin/encguess @@ -1,5 +1,6 @@ #!./perl use 5.008001; +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use warnings; use Encode; diff --git a/bin/piconv b/bin/piconv index c1dad9e..60b2a59 100755 --- a/bin/piconv +++ b/bin/piconv @@ -1,6 +1,7 @@ #!./perl # $Id: piconv,v 2.7 2014/05/31 09:48:48 dankogai Exp $ # +BEGIN { pop @INC if $INC[-1] eq '.' } use 5.8.0; use strict; use Encode ; diff --git a/bin/ucmlint b/bin/ucmlint index 622376d..25e0d67 100644 --- a/bin/ucmlint +++ b/bin/ucmlint @@ -3,6 +3,7 @@ # $Id: ucmlint,v 2.2 2008/03/12 09:51:11 dankogai Exp $ # +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; our $VERSION = do { my @r = (q$Revision: 2.2 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r }; diff --git a/bin/unidump b/bin/unidump index ae0da30..f190827 100755 --- a/bin/unidump +++ b/bin/unidump @@ -1,5 +1,6 @@ #!./perl +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use Encode; use Getopt::Std; -- 2.1.4


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.