From 9987be3d24286d96d9dccec0433253ee8ad894b4 Mon Sep 17 00:00:00 2001 From: Tony Cook Date: Tue, 21 Jun 2016 10:02:02 +1000 Subject: [PATCH] perl: fix CVE-2016-1238 (perl #127834) remove . from the end of @INC if complex modules are loaded While currently Encode and Storable are know to attempt to load modules not included in the core, updates to other modules may lead to those also attempting to load new modules, so be safe and remove . for those as well. Backport patch from http://perl5.git.perl.org/perl.git/commitdiff/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab Upstream-Status: Backport CVE: CVE-2016-1238 Signed-off-by: Mingli Yu --- cpan/Archive-Tar/bin/ptar | 1 + cpan/Archive-Tar/bin/ptardiff | 1 + cpan/Archive-Tar/bin/ptargrep | 1 + cpan/CPAN/scripts/cpan | 1 + cpan/Digest-SHA/shasum | 1 + cpan/Encode/bin/enc2xs | 1 + cpan/Encode/bin/encguess | 1 + cpan/Encode/bin/piconv | 1 + cpan/Encode/bin/ucmlint | 1 + cpan/Encode/bin/unidump | 1 + cpan/ExtUtils-MakeMaker/bin/instmodsh | 1 + cpan/IO-Compress/bin/zipdetails | 1 + cpan/JSON-PP/bin/json_pp | 1 + cpan/Test-Harness/bin/prove | 1 + dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp | 1 + dist/Module-CoreList/corelist | 1 + ext/Pod-Html/bin/pod2html | 1 + utils/c2ph.PL | 1 + utils/h2ph.PL | 2 ++ utils/h2xs.PL | 2 ++ utils/libnetcfg.PL | 1 + utils/perlbug.PL | 1 + utils/perldoc.PL | 5 ++++- utils/perlivp.PL | 2 ++ utils/splain.PL | 6 ++++++ 25 files changed, 36 insertions(+), 1 deletion(-) diff --git a/cpan/Archive-Tar/bin/ptar b/cpan/Archive-Tar/bin/ptar index 0eaffa7..9dc6402 100644 --- a/cpan/Archive-Tar/bin/ptar +++ b/cpan/Archive-Tar/bin/ptar @@ -1,6 +1,7 @@ #!/usr/bin/perl use strict; +BEGIN { pop @INC if $INC[-1] eq '.' } use File::Find; use Getopt::Std; use Archive::Tar; diff --git a/cpan/Archive-Tar/bin/ptardiff b/cpan/Archive-Tar/bin/ptardiff index 66bd859..4668fa6 100644 --- a/cpan/Archive-Tar/bin/ptardiff +++ b/cpan/Archive-Tar/bin/ptardiff @@ -1,5 +1,6 @@ #!/usr/bin/perl +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use Archive::Tar; use Getopt::Std; diff --git a/cpan/Archive-Tar/bin/ptargrep b/cpan/Archive-Tar/bin/ptargrep index 1a320f1..8dc6b4f 100644 --- a/cpan/Archive-Tar/bin/ptargrep +++ b/cpan/Archive-Tar/bin/ptargrep @@ -4,6 +4,7 @@ # archive. See 'ptargrep --help' for more documentation. # +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use warnings; diff --git a/cpan/CPAN/scripts/cpan b/cpan/CPAN/scripts/cpan index 5f4320e..ccba47e 100644 --- a/cpan/CPAN/scripts/cpan +++ b/cpan/CPAN/scripts/cpan @@ -1,5 +1,6 @@ #!/usr/local/bin/perl +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use vars qw($VERSION); diff --git a/cpan/Digest-SHA/shasum b/cpan/Digest-SHA/shasum index 14ddd60..62a2b0e 100644 --- a/cpan/Digest-SHA/shasum +++ b/cpan/Digest-SHA/shasum @@ -13,6 +13,7 @@ ## "-0" option for reading bit strings, and ## "-p" option for portable digests (to be deprecated). +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use warnings; use Fcntl; diff --git a/cpan/Encode/bin/enc2xs b/cpan/Encode/bin/enc2xs index 4d64e38..473a15c 100644 --- a/cpan/Encode/bin/enc2xs +++ b/cpan/Encode/bin/enc2xs @@ -4,6 +4,7 @@ BEGIN { # with $ENV{PERL_CORE} set # In case we need it in future... require Config; import Config; + pop @INC if $INC[-1] eq '.'; } use strict; use warnings; diff --git a/cpan/Encode/bin/encguess b/cpan/Encode/bin/encguess index 5d7ac80..0be5c7c 100644 --- a/cpan/Encode/bin/encguess +++ b/cpan/Encode/bin/encguess @@ -1,5 +1,6 @@ #!./perl use 5.008001; +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use warnings; use Encode; diff --git a/cpan/Encode/bin/piconv b/cpan/Encode/bin/piconv index c1dad9e..60b2a59 100644 --- a/cpan/Encode/bin/piconv +++ b/cpan/Encode/bin/piconv @@ -1,6 +1,7 @@ #!./perl # $Id: piconv,v 2.7 2014/05/31 09:48:48 dankogai Exp $ # +BEGIN { pop @INC if $INC[-1] eq '.' } use 5.8.0; use strict; use Encode ; diff --git a/cpan/Encode/bin/ucmlint b/cpan/Encode/bin/ucmlint index 622376d..25e0d67 100644 --- a/cpan/Encode/bin/ucmlint +++ b/cpan/Encode/bin/ucmlint @@ -3,6 +3,7 @@ # $Id: ucmlint,v 2.2 2008/03/12 09:51:11 dankogai Exp $ # +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; our $VERSION = do { my @r = (q$Revision: 2.2 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r }; diff --git a/cpan/Encode/bin/unidump b/cpan/Encode/bin/unidump index ae0da30..f190827 100644 --- a/cpan/Encode/bin/unidump +++ b/cpan/Encode/bin/unidump @@ -1,5 +1,6 @@ #!./perl +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use Encode; use Getopt::Std; diff --git a/cpan/ExtUtils-MakeMaker/bin/instmodsh b/cpan/ExtUtils-MakeMaker/bin/instmodsh index e551434..b3b109f 100644 --- a/cpan/ExtUtils-MakeMaker/bin/instmodsh +++ b/cpan/ExtUtils-MakeMaker/bin/instmodsh @@ -1,5 +1,6 @@ #!/usr/bin/perl -w +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use IO::File; use ExtUtils::Packlist; diff --git a/cpan/IO-Compress/bin/zipdetails b/cpan/IO-Compress/bin/zipdetails index 0249850..1b9c70a 100644 --- a/cpan/IO-Compress/bin/zipdetails +++ b/cpan/IO-Compress/bin/zipdetails @@ -5,6 +5,7 @@ # Display info on the contents of a Zip file # +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use warnings ; diff --git a/cpan/JSON-PP/bin/json_pp b/cpan/JSON-PP/bin/json_pp index df9d243..896cd2f 100644 --- a/cpan/JSON-PP/bin/json_pp +++ b/cpan/JSON-PP/bin/json_pp @@ -1,5 +1,6 @@ #!/usr/bin/perl +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use Getopt::Long; diff --git a/cpan/Test-Harness/bin/prove b/cpan/Test-Harness/bin/prove index 6637cc4..d71b238 100644 --- a/cpan/Test-Harness/bin/prove +++ b/cpan/Test-Harness/bin/prove @@ -1,5 +1,6 @@ #!/usr/bin/perl -w +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use warnings; use App::Prove; diff --git a/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp b/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp index e2ac71a..d596cdf 100644 --- a/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp +++ b/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp @@ -1,5 +1,6 @@ #!perl use 5.006; +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; eval { require ExtUtils::ParseXS; diff --git a/dist/Module-CoreList/corelist b/dist/Module-CoreList/corelist index aa4a945..bbe61cc 100644 --- a/dist/Module-CoreList/corelist +++ b/dist/Module-CoreList/corelist @@ -130,6 +130,7 @@ requested perl versions. =cut +BEGIN { pop @INC if $INC[-1] eq '.' } use Module::CoreList; use Getopt::Long qw(:config no_ignore_case); use Pod::Usage; diff --git a/ext/Pod-Html/bin/pod2html b/ext/Pod-Html/bin/pod2html index b022859..7d1d232 100644 --- a/ext/Pod-Html/bin/pod2html +++ b/ext/Pod-Html/bin/pod2html @@ -216,6 +216,7 @@ This program is distributed under the Artistic License. =cut +BEGIN { pop @INC if $INC[-1] eq '.' } use Pod::Html; pod2html @ARGV; diff --git a/utils/c2ph.PL b/utils/c2ph.PL index 13389ec..cef0b5c 100644 --- a/utils/c2ph.PL +++ b/utils/c2ph.PL @@ -280,6 +280,7 @@ Anyway, here it is. Should run on perl v4 or greater. Maybe less. $RCSID = '$Id: c2ph,v 1.7 95/10/28 10:41:47 tchrist Exp Locker: tchrist $'; +BEGIN { pop @INC if $INC[-1] eq '.' } use File::Temp; ###################################################################### diff --git a/utils/h2ph.PL b/utils/h2ph.PL index 55c1f72..300b756 100644 --- a/utils/h2ph.PL +++ b/utils/h2ph.PL @@ -36,6 +36,8 @@ $Config{startperl} print OUT <<'!NO!SUBS!'; +BEGIN { pop @INC if $INC[-1] eq '.' } + use strict; use Config; diff --git a/utils/h2xs.PL b/utils/h2xs.PL index 268f680..f95ee0c 100644 --- a/utils/h2xs.PL +++ b/utils/h2xs.PL @@ -35,6 +35,8 @@ $Config{startperl} print OUT <<'!NO!SUBS!'; +BEGIN { pop @INC if $INC[-1] eq '.' } + use warnings; =head1 NAME diff --git a/utils/libnetcfg.PL b/utils/libnetcfg.PL index 59a2de8..26d2f99 100644 --- a/utils/libnetcfg.PL +++ b/utils/libnetcfg.PL @@ -97,6 +97,7 @@ Jarkko Hietaniemi, conversion into libnetcfg for inclusion into Perl 5.8. # $Id: Configure,v 1.8 1997/03/04 09:22:32 gbarr Exp $ +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use IO::File; use Getopt::Std; diff --git a/utils/perlbug.PL b/utils/perlbug.PL index 885785a..ae8c343 100644 --- a/utils/perlbug.PL +++ b/utils/perlbug.PL @@ -57,6 +57,7 @@ print OUT <<'!NO!SUBS!'; my @patches = Config::local_patches(); my $patch_tags = join "", map /(\S+)/ ? "+$1 " : (), @patches; +BEGIN { pop @INC if $INC[-1] eq '.' } use warnings; use strict; use Config; diff --git a/utils/perldoc.PL b/utils/perldoc.PL index e201de9..cd60bd4 100644 --- a/utils/perldoc.PL +++ b/utils/perldoc.PL @@ -44,7 +44,10 @@ $Config{startperl} # This "$file" file was generated by "$0" require 5; -BEGIN { \$^W = 1 if \$ENV{'PERLDOCDEBUG'} } +BEGIN { + \$^W = 1 if \$ENV{'PERLDOCDEBUG'}; + pop \@INC if \$INC[-1] eq '.'; +} use Pod::Perldoc; exit( Pod::Perldoc->run() ); diff --git a/utils/perlivp.PL b/utils/perlivp.PL index cc49f96..696a44e 100644 --- a/utils/perlivp.PL +++ b/utils/perlivp.PL @@ -39,6 +39,8 @@ print OUT "\n# perlivp $^V\n"; print OUT <<'!NO!SUBS!'; +BEGIN { pop @INC if $INC[-1] eq '.' } + sub usage { warn "@_\n" if @_; print << " EOUSAGE"; diff --git a/utils/splain.PL b/utils/splain.PL index 9c70b61..cae84a0 100644 --- a/utils/splain.PL +++ b/utils/splain.PL @@ -38,6 +38,12 @@ $Config{startperl} if \$running_under_some_shell; !GROK!THIS! +print <<'!NO!SUBS!'; + +BEGIN { pop @INC if $INC[-1] eq '.' } + +!NO!SUBS! + while () { print OUT unless /^package diagnostics/; } -- 2.8.1