[libmime-encwords-perl] 01/05: Remove . from @INC when loading modules dynamically [CVE-2016-1238]

Salvatore Bonaccorso carnil at debian.org
Mon Jul 25 18:06:03 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch master
in repository libmime-encwords-perl.

commit bcf0c8154ae9302c86009dfdbca21fa74e4274d3
Author: Dominic Hargreaves <dom at earth.li>
Date:   Mon Jul 25 09:51:13 2016 +0100

    Remove . from @INC when loading modules dynamically [CVE-2016-1238]
---
 debian/changelog                   |  3 +++
 debian/patches/CVE-2016-1238.patch | 32 ++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 36 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 7f23d9d..6d712ec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,9 @@ libmime-encwords-perl (1.014.3-2) UNRELEASED; urgency=medium
   [ gregor herrmann ]
   * debian/copyright: change Copyright-Format 1.0 URL to HTTPS.
 
+  [ Salvatore Bonaccorso ]
+  * Remove . from @INC when loading modules dynamically [CVE-2016-1238]
+
  -- gregor herrmann <gregoa at debian.org>  Sat, 24 Oct 2015 13:45:56 +0200
 
 libmime-encwords-perl (1.014.3-1) unstable; urgency=medium
diff --git a/debian/patches/CVE-2016-1238.patch b/debian/patches/CVE-2016-1238.patch
new file mode 100644
index 0000000..3b6c7d9
--- /dev/null
+++ b/debian/patches/CVE-2016-1238.patch
@@ -0,0 +1,32 @@
+From e8e8a785b987c78ddee19ed8cc18cb1c70252c87 Mon Sep 17 00:00:00 2001
+From: Dominic Hargreaves <dom at earth.li>
+Date: Mon, 25 Jul 2016 09:49:23 +0100
+Subject: [PATCH] Remove . from @INC when loading modules dynamically
+ [CVE-2016-1238]
+Forwarded: https://rt.cpan.org/Ticket/Display.html?id=116463
+Bug: https://rt.cpan.org/Ticket/Display.html?id=116463
+
+---
+ lib/MIME/EncWords.pm | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/MIME/EncWords.pm b/lib/MIME/EncWords.pm
+index 0d84dd3..005c012 100644
+--- a/lib/MIME/EncWords.pm
++++ b/lib/MIME/EncWords.pm
+@@ -143,7 +143,11 @@ $Config = {
+     MaxLineLen => 76,
+     Minimal => 'YES',
+ };
+-eval { require MIME::EncWords::Defaults; };
++eval {
++    local @INC = @INC;
++    pop @INC if $INC[-1] eq '.';
++    require MIME::EncWords::Defaults;
++};
+ 
+ ### Private Constants
+ 
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..34520df
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2016-1238.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmime-encwords-perl.git

More information about the Pkg-perl-cvs-commits mailing list