[libmodule-build-perl] 01/02: Work around removal of "." in @INC (CVE-2016-1238)

dom at earth.li dom at earth.li
Mon Jul 25 13:35:38 UTC 2016 

This is an automated email from the git hooks/post-receive script.

dom pushed a commit to branch jessie-security
in repository libmodule-build-perl.

commit acfde7d80ee3a3369b795d98738c7c0050ba2bbf
Author: Dominic Hargreaves <dom at earth.li>
Date:   Fri Jul 8 15:59:04 2016 +0200

    Work around removal of "." in @INC (CVE-2016-1238)
---
 debian/changelog       |  7 +++++++
 debian/patches/inc-fix | 27 +++++++++++++++++++++++++++
 debian/patches/series  |  1 +
 3 files changed, 35 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index d244c13..6e1ed91 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libmodule-build-perl (0.421000-2+deb8u1) UNRELEASED; urgency=medium
+
+  * Team upload
+  * Work around removal of "." in @INC (CVE-2016-1238)
+
+ -- Dominic Hargreaves <dom at earth.li>  Fri, 08 Jul 2016 15:57:33 +0200
+
 libmodule-build-perl (0.421000-2) unstable; urgency=medium
 
   [ gregor herrmann ]
diff --git a/debian/patches/inc-fix b/debian/patches/inc-fix
new file mode 100644
index 0000000..844252b
--- /dev/null
+++ b/debian/patches/inc-fix
@@ -0,0 +1,27 @@
+From c65e48f6291923db1856b47b73e4d31c989dbade Mon Sep 17 00:00:00 2001
+From: Niko Tyni <ntyni at debian.org>
+Date: Fri, 8 Jul 2016 15:55:37 +0200
+Subject: [PATCH] Make Module::Build set PERL_UNSAFE_INC
+
+Author: Todd Rinaldo <toddr at cpan.org>
+Origin: https://gist.githubusercontent.com/toddr/d77d8d5fa9caa8f96b7758a126caa4dc/raw/3b1a327efdd9a6babf5eed8fb9c241a6d4909be6/fix.patch
+---
+ lib/Module/Build/Base.pm | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/Module/Build/Base.pm b/lib/Module/Build/Base.pm
+index 81df654..a4aeb57 100644
+--- a/lib/Module/Build/Base.pm
++++ b/lib/Module/Build/Base.pm
+@@ -1859,6 +1859,8 @@ BEGIN {
+     (
+ $quoted_INC
+     );
++  push \@INC, "." unless grep { \$_ eq "." } \@INC; # Force my process to include . in \@INC.
++  \$ENV{"PERL_USE_UNSAFE_INC"} = 1; # Force all child processes to include . in \@INC.
+ }
+ 
+ close(*DATA) unless eof(*DATA); # ensure no open handles to this script
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 4218d4a..c24904a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 man-ext
 0001-Allow-loading-from-system-path-when-running-under-au.patch
+inc-fix

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmodule-build-perl.git

More information about the Pkg-perl-cvs-commits mailing list