[libsys-syslog-perl] 01/02: Remove . from @INC when loading modules dynamically [CVE-2016-1238]
dom at earth.li
dom at earth.li
Tue Jul 26 15:55:12 UTC 2016
This is an automated email from the git hooks/post-receive script.
dom pushed a commit to branch jessie-security
in repository libsys-syslog-perl.
commit 9670c61962bd722ceb8bf8db78f4d62896db74e6
Author: Dominic Hargreaves <dom at earth.li>
Date: Sun Jul 24 19:41:40 2016 +0100
Remove . from @INC when loading modules dynamically [CVE-2016-1238]
---
debian/changelog | 7 +++++++
debian/patches/CVE-2016-1238.patch | 26 ++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 34 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 14647e4..76c4bff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libsys-syslog-perl (0.33-1+deb8u1) UNRELEASED; urgency=medium
+
+ * Team upload.
+ * Remove . from @INC when loading modules dynamically [CVE-2016-1238]
+
+ -- Dominic Hargreaves <dom at earth.li> Sun, 24 Jul 2016 19:41:02 +0100
+
libsys-syslog-perl (0.33-1) unstable; urgency=low
[ Ansgar Burchardt ]
diff --git a/debian/patches/CVE-2016-1238.patch b/debian/patches/CVE-2016-1238.patch
new file mode 100644
index 0000000..99b3238
--- /dev/null
+++ b/debian/patches/CVE-2016-1238.patch
@@ -0,0 +1,26 @@
+From 64cdffee5a52d4b73a707584d4aac3df9b119a5c Mon Sep 17 00:00:00 2001
+From: Dominic Hargreaves <dom at earth.li>
+Date: Sun, 24 Jul 2016 19:43:50 +0100
+Subject: [PATCH] Remove . from @INC when loading modules dynamically
+ [CVE-2016-1238]
+
+---
+ Syslog.pm | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Syslog.pm b/Syslog.pm
+index 25164af..eed224a 100644
+--- a/Syslog.pm
++++ b/Syslog.pm
+@@ -888,6 +888,8 @@ sub silent_eval (&) {
+ sub can_load {
+ my ($module, $verbose) = @_;
+ local($SIG{__DIE__}, $SIG{__WARN__}, $@);
++ local @INC = @INC;
++ pop @INC if $INC[-1] eq '.';
+ my $loaded = eval "use $module; 1";
+ warn $@ if not $loaded and $verbose;
+ return $loaded
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..34520df
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2016-1238.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/attic/libsys-syslog-perl.git
More information about the Pkg-perl-cvs-commits
mailing list