[devscripts] 02/02: Remove . from @INC when loading modules dynamically

James McCoy jamessan at debian.org
Mon Aug 22 01:43:03 UTC 2016 

This is an automated email from the git hooks/post-receive script.

jamessan pushed a commit to branch master
in repository devscripts.

commit f0e038fb35afc364d47fb9a3c8cbf63f173057da
Author: James McCoy <jamessan at debian.org>
Date:   Sun Aug 21 21:36:17 2016 -0400

    Remove . from @INC when loading modules dynamically
    
    Signed-off-by: James McCoy <jamessan at debian.org>
---
 debian/changelog         |  4 ++++
 scripts/dcontrol.pl      |  1 +
 scripts/desktop2menu.pl  |  1 +
 scripts/dscverify.pl     | 12 +-----------
 scripts/grep-excuses.pl  |  1 +
 scripts/plotchangelog.pl |  1 +
 scripts/rmadison.pl      |  1 +
 scripts/uscan.pl         |  1 +
 8 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index badd0f4..4121dda 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -21,6 +21,10 @@ devscripts (2.16.7) UNRELEASED; urgency=medium
   [ Christoph Berg ]
   * origtargz: Fix unpacking of tarballs found in --path.
 
+  [ James McCoy ]
+  * Remove . from @INC when loading modules dynamically. [CVE-2016-1238]
+    (Closes: #832441)
+
  -- Paul Wise <pabs at debian.org>  Fri, 15 Jul 2016 22:36:19 +0800
 
 devscripts (2.16.6) unstable; urgency=medium
diff --git a/scripts/dcontrol.pl b/scripts/dcontrol.pl
index f154b02..309e585 100755
--- a/scripts/dcontrol.pl
+++ b/scripts/dcontrol.pl
@@ -24,6 +24,7 @@ use File::Basename;
 use Getopt::Long qw(:config gnu_getopt);
 
 BEGIN {
+    pop @INC if $INC[-1] eq '.';
     # Load the URI::Escape and LWP::UserAgent modules safely
     my $progname = basename($0,'.pl');
     eval { require URI::Escape; };
diff --git a/scripts/desktop2menu.pl b/scripts/desktop2menu.pl
index 47261ea..f915ec2 100755
--- a/scripts/desktop2menu.pl
+++ b/scripts/desktop2menu.pl
@@ -64,6 +64,7 @@ use File::Basename;
 my $progname = basename($0);
 
 BEGIN {
+    pop @INC if $INC[-1] eq '.';
     # Load the File::DesktopEntry module safely
     eval { require File::DesktopEntry; };
     if ($@) {
diff --git a/scripts/dscverify.pl b/scripts/dscverify.pl
index 07f3a5f..cb2946f 100755
--- a/scripts/dscverify.pl
+++ b/scripts/dscverify.pl
@@ -26,6 +26,7 @@ use strict;
 use warnings;
 use Cwd;
 use Fcntl;
+use Digest::MD5;
 use Dpkg::IPC;
 use File::Spec;
 use File::Temp;
@@ -34,17 +35,6 @@ use POSIX	qw(:errno_h);
 use Getopt::Long qw(:config gnu_getopt);
 use List::Util qw(first);
 
-BEGIN {
-    eval { require Digest::MD5; };
-    if ($@) {
-	my $progname = basename $0;
-	if ($@ =~ /^Can\'t locate Digest\/MD5\.pm/) {
-	    die "$progname: you must have the libdigest-md5-perl package installed\nto use this script\n";
-	}
-	die "$progname: problem loading the Digest::MD5 module:\n  $@\nHave you installed the libdigest-md5-perl package?\n";
-    }
-}
-
 my $progname = basename $0;
 my $modified_conf_msg;
 my $Exit = 0;
diff --git a/scripts/grep-excuses.pl b/scripts/grep-excuses.pl
index 7b78560..d6b234a 100755
--- a/scripts/grep-excuses.pl
+++ b/scripts/grep-excuses.pl
@@ -32,6 +32,7 @@ my $term_size_broken;
 
 sub have_term_size {
     return ($term_size_broken ? 0 : 1) if defined $term_size_broken;
+    pop @INC if $INC[-1] eq '.';
     # Load the Term::Size module safely
     eval { require Term::Size; };
     if ($@) {
diff --git a/scripts/plotchangelog.pl b/scripts/plotchangelog.pl
index 3bf642a..df45814 100755
--- a/scripts/plotchangelog.pl
+++ b/scripts/plotchangelog.pl
@@ -32,6 +32,7 @@ use Fcntl;
 use Getopt::Long qw(:config gnu_getopt);
 
 BEGIN {
+    pop @INC if $INC[-1] eq '.';
     eval { require Date::Parse; import Date::Parse (); };
     if ($@) {
 	my $progname = basename($0);
diff --git a/scripts/rmadison.pl b/scripts/rmadison.pl
index bae237e..390b8d8 100755
--- a/scripts/rmadison.pl
+++ b/scripts/rmadison.pl
@@ -24,6 +24,7 @@ use File::Basename;
 use Getopt::Long qw(:config gnu_getopt);
 
 BEGIN {
+    pop @INC if $INC[-1] eq '.';
     # Load the URI::Escape module safely
     eval { require URI::Escape; };
     if ($@) {
diff --git a/scripts/uscan.pl b/scripts/uscan.pl
index 73b2d35..68187fd 100755
--- a/scripts/uscan.pl
+++ b/scripts/uscan.pl
@@ -1703,6 +1703,7 @@ use Text::ParseWords;
 use Digest::MD5;
 
 BEGIN {
+    pop @INC if $INC[-1] eq '.';
     eval { require LWP::UserAgent; };
     if ($@) {
 	my $progname = basename($0);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git

More information about the devscripts-devel mailing list