summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMingli Yu <Mingli.Yu@windriver.com>2016-09-26 06:00:42 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-10-06 07:51:17 (GMT)
commitc3f5e64b583e0f8c62952f4c2a93c41310987bdf (patch)
tree350dc9c76e284a7502d446927e1f967f1c0df59b
parent84997c7f212ec63f7368707354f16c74cecf9e1a (diff)
downloadpoky-c3f5e64b583e0f8c62952f4c2a93c41310987bdf.tar.gz
perl: fix CVE-2016-1238
Backport patch to fix CVE-2016-1238 from perl upstream: http://perl5.git.perl.org/perl.git/commitdiff/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab (From OE-Core rev: 7d06ffcbcd0c71dc6dc9efde02bf0cd8d7c7d7e3) (From OE-Core rev: 39ef8e22b52d3f5daa853aa7866145e9c5469d4b) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Fixed up to apply to 5.20.0 Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch352
-rw-r--r--meta/recipes-devtools/perl/perl_5.22.0.bb1
2 files changed, 353 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch
new file mode 100644
index 0000000..730ef17
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch
@@ -0,0 +1,352 @@
1From 9987be3d24286d96d9dccec0433253ee8ad894b4 Mon Sep 17 00:00:00 2001
2From: Tony Cook <tony@develop-help.com>
3Date: Tue, 21 Jun 2016 10:02:02 +1000
4Subject: [PATCH] perl: fix CVE-2016-1238
5
6(perl #127834) remove . from the end of @INC if complex modules are loaded
7
8While currently Encode and Storable are know to attempt to load modules
9not included in the core, updates to other modules may lead to those
10also attempting to load new modules, so be safe and remove . for those
11as well.
12
13Backport patch from http://perl5.git.perl.org/perl.git/commitdiff/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab
14
15Upstream-Status: Backport
16CVE: CVE-2016-1238
17Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
18---
19 cpan/Archive-Tar/bin/ptar | 1 +
20 cpan/Archive-Tar/bin/ptardiff | 1 +
21 cpan/Archive-Tar/bin/ptargrep | 1 +
22 cpan/CPAN/scripts/cpan | 1 +
23 cpan/Digest-SHA/shasum | 1 +
24 cpan/Encode/bin/enc2xs | 1 +
25 cpan/Encode/bin/encguess | 1 +
26 cpan/Encode/bin/piconv | 1 +
27 cpan/Encode/bin/ucmlint | 1 +
28 cpan/Encode/bin/unidump | 1 +
29 cpan/ExtUtils-MakeMaker/bin/instmodsh | 1 +
30 cpan/IO-Compress/bin/zipdetails | 1 +
31 cpan/JSON-PP/bin/json_pp | 1 +
32 cpan/Test-Harness/bin/prove | 1 +
33 dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp | 1 +
34 dist/Module-CoreList/corelist | 1 +
35 ext/Pod-Html/bin/pod2html | 1 +
36 utils/c2ph.PL | 1 +
37 utils/h2ph.PL | 2 ++
38 utils/h2xs.PL | 2 ++
39 utils/libnetcfg.PL | 1 +
40 utils/perlbug.PL | 1 +
41 utils/perldoc.PL | 5 ++++-
42 utils/perlivp.PL | 2 ++
43 utils/splain.PL | 6 ++++++
44 25 files changed, 36 insertions(+), 1 deletion(-)
45
46diff --git a/cpan/Archive-Tar/bin/ptar b/cpan/Archive-Tar/bin/ptar
47index 0eaffa7..9dc6402 100644
48--- a/cpan/Archive-Tar/bin/ptar
49+++ b/cpan/Archive-Tar/bin/ptar
50@@ -1,6 +1,7 @@
51 #!/usr/bin/perl
52 use strict;
53
54+BEGIN { pop @INC if $INC[-1] eq '.' }
55 use File::Find;
56 use Getopt::Std;
57 use Archive::Tar;
58diff --git a/cpan/Archive-Tar/bin/ptardiff b/cpan/Archive-Tar/bin/ptardiff
59index 66bd859..4668fa6 100644
60--- a/cpan/Archive-Tar/bin/ptardiff
61+++ b/cpan/Archive-Tar/bin/ptardiff
62@@ -1,5 +1,6 @@
63 #!/usr/bin/perl
64
65+BEGIN { pop @INC if $INC[-1] eq '.' }
66 use strict;
67 use Archive::Tar;
68 use Getopt::Std;
69diff --git a/cpan/Archive-Tar/bin/ptargrep b/cpan/Archive-Tar/bin/ptargrep
70index 1a320f1..8dc6b4f 100644
71--- a/cpan/Archive-Tar/bin/ptargrep
72+++ b/cpan/Archive-Tar/bin/ptargrep
73@@ -4,6 +4,7 @@
74 # archive. See 'ptargrep --help' for more documentation.
75 #
76
77+BEGIN { pop @INC if $INC[-1] eq '.' }
78 use strict;
79 use warnings;
80
81diff --git a/cpan/CPAN/scripts/cpan b/cpan/CPAN/scripts/cpan
82index 5f4320e..ccba47e 100644
83--- a/cpan/CPAN/scripts/cpan
84+++ b/cpan/CPAN/scripts/cpan
85@@ -1,5 +1,6 @@
86 #!/usr/local/bin/perl
87
88+BEGIN { pop @INC if $INC[-1] eq '.' }
89 use strict;
90 use vars qw($VERSION);
91
92diff --git a/cpan/Digest-SHA/shasum b/cpan/Digest-SHA/shasum
93index 14ddd60..62a2b0e 100644
94--- a/cpan/Digest-SHA/shasum
95+++ b/cpan/Digest-SHA/shasum
96@@ -13,6 +13,7 @@
97 ## "-0" option for reading bit strings, and
98 ## "-p" option for portable digests (to be deprecated).
99
100+BEGIN { pop @INC if $INC[-1] eq '.' }
101 use strict;
102 use warnings;
103 use Fcntl;
104diff --git a/cpan/Encode/bin/enc2xs b/cpan/Encode/bin/enc2xs
105index 4d64e38..473a15c 100644
106--- a/cpan/Encode/bin/enc2xs
107+++ b/cpan/Encode/bin/enc2xs
108@@ -4,6 +4,7 @@ BEGIN {
109 # with $ENV{PERL_CORE} set
110 # In case we need it in future...
111 require Config; import Config;
112+ pop @INC if $INC[-1] eq '.';
113 }
114 use strict;
115 use warnings;
116diff --git a/cpan/Encode/bin/encguess b/cpan/Encode/bin/encguess
117index 5d7ac80..0be5c7c 100644
118--- a/cpan/Encode/bin/encguess
119+++ b/cpan/Encode/bin/encguess
120@@ -1,5 +1,6 @@
121 #!./perl
122 use 5.008001;
123+BEGIN { pop @INC if $INC[-1] eq '.' }
124 use strict;
125 use warnings;
126 use Encode;
127diff --git a/cpan/Encode/bin/piconv b/cpan/Encode/bin/piconv
128index c1dad9e..60b2a59 100644
129--- a/cpan/Encode/bin/piconv
130+++ b/cpan/Encode/bin/piconv
131@@ -1,6 +1,7 @@
132 #!./perl
133 # $Id: piconv,v 2.7 2014/05/31 09:48:48 dankogai Exp $
134 #
135+BEGIN { pop @INC if $INC[-1] eq '.' }
136 use 5.8.0;
137 use strict;
138 use Encode ;
139diff --git a/cpan/Encode/bin/ucmlint b/cpan/Encode/bin/ucmlint
140index 622376d..25e0d67 100644
141--- a/cpan/Encode/bin/ucmlint
142+++ b/cpan/Encode/bin/ucmlint
143@@ -3,6 +3,7 @@
144 # $Id: ucmlint,v 2.2 2008/03/12 09:51:11 dankogai Exp $
145 #
146
147+BEGIN { pop @INC if $INC[-1] eq '.' }
148 use strict;
149 our $VERSION = do { my @r = (q$Revision: 2.2 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r };
150
151diff --git a/cpan/Encode/bin/unidump b/cpan/Encode/bin/unidump
152index ae0da30..f190827 100644
153--- a/cpan/Encode/bin/unidump
154+++ b/cpan/Encode/bin/unidump
155@@ -1,5 +1,6 @@
156 #!./perl
157
158+BEGIN { pop @INC if $INC[-1] eq '.' }
159 use strict;
160 use Encode;
161 use Getopt::Std;
162diff --git a/cpan/ExtUtils-MakeMaker/bin/instmodsh b/cpan/ExtUtils-MakeMaker/bin/instmodsh
163index e551434..b3b109f 100644
164--- a/cpan/ExtUtils-MakeMaker/bin/instmodsh
165+++ b/cpan/ExtUtils-MakeMaker/bin/instmodsh
166@@ -1,5 +1,6 @@
167 #!/usr/bin/perl -w
168
169+BEGIN { pop @INC if $INC[-1] eq '.' }
170 use strict;
171 use IO::File;
172 use ExtUtils::Packlist;
173diff --git a/cpan/IO-Compress/bin/zipdetails b/cpan/IO-Compress/bin/zipdetails
174index 0249850..1b9c70a 100644
175--- a/cpan/IO-Compress/bin/zipdetails
176+++ b/cpan/IO-Compress/bin/zipdetails
177@@ -5,6 +5,7 @@
178 # Display info on the contents of a Zip file
179 #
180
181+BEGIN { pop @INC if $INC[-1] eq '.' }
182 use strict;
183 use warnings ;
184
185diff --git a/cpan/JSON-PP/bin/json_pp b/cpan/JSON-PP/bin/json_pp
186index df9d243..896cd2f 100644
187--- a/cpan/JSON-PP/bin/json_pp
188+++ b/cpan/JSON-PP/bin/json_pp
189@@ -1,5 +1,6 @@
190 #!/usr/bin/perl
191
192+BEGIN { pop @INC if $INC[-1] eq '.' }
193 use strict;
194 use Getopt::Long;
195
196diff --git a/cpan/Test-Harness/bin/prove b/cpan/Test-Harness/bin/prove
197index 6637cc4..d71b238 100644
198--- a/cpan/Test-Harness/bin/prove
199+++ b/cpan/Test-Harness/bin/prove
200@@ -1,5 +1,6 @@
201 #!/usr/bin/perl -w
202
203+BEGIN { pop @INC if $INC[-1] eq '.' }
204 use strict;
205 use warnings;
206 use App::Prove;
207diff --git a/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp b/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp
208index e2ac71a..d596cdf 100644
209--- a/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp
210+++ b/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp
211@@ -1,5 +1,6 @@
212 #!perl
213 use 5.006;
214+BEGIN { pop @INC if $INC[-1] eq '.' }
215 use strict;
216 eval {
217 require ExtUtils::ParseXS;
218diff --git a/dist/Module-CoreList/corelist b/dist/Module-CoreList/corelist
219index aa4a945..bbe61cc 100644
220--- a/dist/Module-CoreList/corelist
221+++ b/dist/Module-CoreList/corelist
222@@ -130,6 +130,7 @@ requested perl versions.
223
224 =cut
225
226+BEGIN { pop @INC if $INC[-1] eq '.' }
227 use Module::CoreList;
228 use Getopt::Long qw(:config no_ignore_case);
229 use Pod::Usage;
230diff --git a/ext/Pod-Html/bin/pod2html b/ext/Pod-Html/bin/pod2html
231index b022859..7d1d232 100644
232--- a/ext/Pod-Html/bin/pod2html
233+++ b/ext/Pod-Html/bin/pod2html
234@@ -216,6 +216,7 @@ This program is distributed under the Artistic License.
235
236 =cut
237
238+BEGIN { pop @INC if $INC[-1] eq '.' }
239 use Pod::Html;
240
241 pod2html @ARGV;
242diff --git a/utils/c2ph.PL b/utils/c2ph.PL
243index 13389ec..cef0b5c 100644
244--- a/utils/c2ph.PL
245+++ b/utils/c2ph.PL
246@@ -280,6 +280,7 @@ Anyway, here it is. Should run on perl v4 or greater. Maybe less.
247
248 $RCSID = '$Id: c2ph,v 1.7 95/10/28 10:41:47 tchrist Exp Locker: tchrist $';
249
250+BEGIN { pop @INC if $INC[-1] eq '.' }
251 use File::Temp;
252
253 ######################################################################
254diff --git a/utils/h2ph.PL b/utils/h2ph.PL
255index 55c1f72..300b756 100644
256--- a/utils/h2ph.PL
257+++ b/utils/h2ph.PL
258@@ -36,6 +36,8 @@ $Config{startperl}
259
260 print OUT <<'!NO!SUBS!';
261
262+BEGIN { pop @INC if $INC[-1] eq '.' }
263+
264 use strict;
265
266 use Config;
267diff --git a/utils/h2xs.PL b/utils/h2xs.PL
268index 268f680..f95ee0c 100644
269--- a/utils/h2xs.PL
270+++ b/utils/h2xs.PL
271@@ -35,6 +35,8 @@ $Config{startperl}
272
273 print OUT <<'!NO!SUBS!';
274
275+BEGIN { pop @INC if $INC[-1] eq '.' }
276+
277 use warnings;
278
279 =head1 NAME
280diff --git a/utils/libnetcfg.PL b/utils/libnetcfg.PL
281index 59a2de8..26d2f99 100644
282--- a/utils/libnetcfg.PL
283+++ b/utils/libnetcfg.PL
284@@ -97,6 +97,7 @@ Jarkko Hietaniemi, conversion into libnetcfg for inclusion into Perl 5.8.
285
286 # $Id: Configure,v 1.8 1997/03/04 09:22:32 gbarr Exp $
287
288+BEGIN { pop @INC if $INC[-1] eq '.' }
289 use strict;
290 use IO::File;
291 use Getopt::Std;
292diff --git a/utils/perlbug.PL b/utils/perlbug.PL
293index 885785a..ae8c343 100644
294--- a/utils/perlbug.PL
295+++ b/utils/perlbug.PL
296@@ -57,6 +57,7 @@ print OUT <<'!NO!SUBS!';
297 my @patches = Config::local_patches();
298 my $patch_tags = join "", map /(\S+)/ ? "+$1 " : (), @patches;
299
300+BEGIN { pop @INC if $INC[-1] eq '.' }
301 use warnings;
302 use strict;
303 use Config;
304diff --git a/utils/perldoc.PL b/utils/perldoc.PL
305index e201de9..cd60bd4 100644
306--- a/utils/perldoc.PL
307+++ b/utils/perldoc.PL
308@@ -44,7 +44,10 @@ $Config{startperl}
309 # This "$file" file was generated by "$0"
310
311 require 5;
312-BEGIN { \$^W = 1 if \$ENV{'PERLDOCDEBUG'} }
313+BEGIN {
314+ \$^W = 1 if \$ENV{'PERLDOCDEBUG'};
315+ pop \@INC if \$INC[-1] eq '.';
316+}
317 use Pod::Perldoc;
318 exit( Pod::Perldoc->run() );
319
320diff --git a/utils/perlivp.PL b/utils/perlivp.PL
321index cc49f96..696a44e 100644
322--- a/utils/perlivp.PL
323+++ b/utils/perlivp.PL
324@@ -39,6 +39,8 @@ print OUT "\n# perlivp $^V\n";
325
326 print OUT <<'!NO!SUBS!';
327
328+BEGIN { pop @INC if $INC[-1] eq '.' }
329+
330 sub usage {
331 warn "@_\n" if @_;
332 print << " EOUSAGE";
333diff --git a/utils/splain.PL b/utils/splain.PL
334index 9c70b61..cae84a0 100644
335--- a/utils/splain.PL
336+++ b/utils/splain.PL
337@@ -38,6 +38,12 @@ $Config{startperl}
338 if \$running_under_some_shell;
339 !GROK!THIS!
340
341+print <<'!NO!SUBS!';
342+
343+BEGIN { pop @INC if $INC[-1] eq '.' }
344+
345+!NO!SUBS!
346+
347 while (<IN>) {
348 print OUT unless /^package diagnostics/;
349 }
350--
3512.8.1
352
diff --git a/meta/recipes-devtools/perl/perl_5.22.0.bb b/meta/recipes-devtools/perl/perl_5.22.0.bb
index ff82b80..814c20c 100644
--- a/meta/recipes-devtools/perl/perl_5.22.0.bb
+++ b/meta/recipes-devtools/perl/perl_5.22.0.bb
@@ -37,6 +37,7 @@ SRC_URI += " \
37 file://perl-fix-CVE-2016-2381.patch \ 37 file://perl-fix-CVE-2016-2381.patch \
38 file://perl-fix-CVE-2016-6185.patch \ 38 file://perl-fix-CVE-2016-6185.patch \
39 file://perl-fix-CVE-2015-8607.patch \ 39 file://perl-fix-CVE-2015-8607.patch \
40 file://perl-fix-CVE-2016-1238.patch \
40" 41"
41 42
42SRC_URI += " \ 43SRC_URI += " \