[libnet-dns-perl] 01/02: Remove . from @INC when loading modules dynamically [CVE-2016-1238]

dom at earth.li dom at earth.li
Mon Jul 25 14:05:16 UTC 2016 

This is an automated email from the git hooks/post-receive script.

dom pushed a commit to branch jessie-security
in repository libnet-dns-perl.

commit e2170af53935b14067b3837cc07077d4b7b8b38d
Author: Dominic Hargreaves <dom at earth.li>
Date:   Mon Jul 25 10:24:01 2016 +0100

    Remove . from @INC when loading modules dynamically [CVE-2016-1238]
---
 debian/changelog                   |  7 +++++++
 debian/patches/CVE-2016-1238.patch | 26 ++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 34 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 828d81e..e1a21cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libnet-dns-perl (0.81-2+deb8u1) UNRELEASED; urgency=medium
+
+  * Team upload.
+  * Remove . from @INC when loading modules dynamically [CVE-2016-1238]
+
+ -- Dominic Hargreaves <dom at earth.li>  Mon, 25 Jul 2016 10:23:48 +0100
+
 libnet-dns-perl (0.81-2) unstable; urgency=medium
 
   * Ignore link-local IPv6 resolvers (Closes: #765327)
diff --git a/debian/patches/CVE-2016-1238.patch b/debian/patches/CVE-2016-1238.patch
new file mode 100644
index 0000000..6f3d685
--- /dev/null
+++ b/debian/patches/CVE-2016-1238.patch
@@ -0,0 +1,26 @@
+From a8acf39ad82f41049908cfc239e0fb3c3ff53f64 Mon Sep 17 00:00:00 2001
+From: Dominic Hargreaves <dom at earth.li>
+Date: Mon, 25 Jul 2016 10:22:43 +0100
+Subject: [PATCH] Remove . from @INC when loading modules dynamically
+ [CVE-2016-1238]
+
+---
+ lib/Net/DNS/Domain.pm | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/Net/DNS/Domain.pm b/lib/Net/DNS/Domain.pm
+index d8d88b4..1c7fa8c 100644
+--- a/lib/Net/DNS/Domain.pm
++++ b/lib/Net/DNS/Domain.pm
+@@ -54,6 +54,8 @@ use constant UTF8 => eval {
+ } || 0;
+ 
+ use constant LIBIDN => eval {
++	local @INC = @INC;
++	pop @INC if $INC[-1] eq '.';
+ 	require Net::LibIDN;					# tested and working
+ 	UTF8 && Net::LibIDN::idn_to_ascii( pack( 'U*', 20013, 22269 ), 'utf-8' ) eq 'xn--fiqs8s';
+ } || 0;
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 81c604a..9422415 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 dnswalk-readme-note.patch
 ignore-link-local-IPv6-resolvers.patch
+CVE-2016-1238.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libnet-dns-perl.git

More information about the Pkg-perl-cvs-commits mailing list