[libsys-syslog-perl] 01/02: Remove . from @INC when loading modules dynamically [CVE-2016-1238]

dom at earth.li dom at earth.li
Tue Jul 26 15:55:12 UTC 2016 

This is an automated email from the git hooks/post-receive script.

dom pushed a commit to branch jessie-security
in repository libsys-syslog-perl.

commit 9670c61962bd722ceb8bf8db78f4d62896db74e6
Author: Dominic Hargreaves <dom at earth.li>
Date:   Sun Jul 24 19:41:40 2016 +0100

    Remove . from @INC when loading modules dynamically [CVE-2016-1238]
---
 debian/changelog                   |  7 +++++++
 debian/patches/CVE-2016-1238.patch | 26 ++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 34 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 14647e4..76c4bff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libsys-syslog-perl (0.33-1+deb8u1) UNRELEASED; urgency=medium
+
+  * Team upload.
+  * Remove . from @INC when loading modules dynamically [CVE-2016-1238]
+
+ -- Dominic Hargreaves <dom at earth.li>  Sun, 24 Jul 2016 19:41:02 +0100
+
 libsys-syslog-perl (0.33-1) unstable; urgency=low
 
   [ Ansgar Burchardt ]
diff --git a/debian/patches/CVE-2016-1238.patch b/debian/patches/CVE-2016-1238.patch
new file mode 100644
index 0000000..99b3238
--- /dev/null
+++ b/debian/patches/CVE-2016-1238.patch
@@ -0,0 +1,26 @@
+From 64cdffee5a52d4b73a707584d4aac3df9b119a5c Mon Sep 17 00:00:00 2001
+From: Dominic Hargreaves <dom at earth.li>
+Date: Sun, 24 Jul 2016 19:43:50 +0100
+Subject: [PATCH] Remove . from @INC when loading modules dynamically
+ [CVE-2016-1238]
+
+---
+ Syslog.pm | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Syslog.pm b/Syslog.pm
+index 25164af..eed224a 100644
+--- a/Syslog.pm
++++ b/Syslog.pm
+@@ -888,6 +888,8 @@ sub silent_eval (&) {
+ sub can_load {
+     my ($module, $verbose) = @_;
+     local($SIG{__DIE__}, $SIG{__WARN__}, $@);
++    local @INC = @INC;
++    pop @INC if $INC[-1] eq '.';
+     my $loaded = eval "use $module; 1";
+     warn $@ if not $loaded and $verbose;
+     return $loaded
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..34520df
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2016-1238.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/attic/libsys-syslog-perl.git

More information about the Pkg-perl-cvs-commits mailing list