Bug#832441: devscripts: CVE-2016-1238 fix
James McCoy
jamessan at debian.org
Tue Jul 26 00:41:03 UTC 2016
On Mon, Jul 25, 2016 at 03:48:13PM +0100, Dominic Hargreaves wrote:
> An update for this package has been released as part of our handling for
> the issue described below. This fixes an instance of the dynamic module
> loading vulnerability alluded to.
>
> I attach the patch I applied for jessie; please could you review this
> and apply something similar for sid?
Thanks for the notice.
> From ec54f8919620d6b064f0c61015af553570c2ee3a Mon Sep 17 00:00:00 2001
> From: Dominic Hargreaves <dom at earth.li>
> Date: Mon, 25 Jul 2016 10:06:19 +0100
> Subject: [PATCH 1/2] Remove . from @INC when loading modules dynamically
> [CVE-2016-1238]
>
> diff --git a/scripts/desktop2menu.pl b/scripts/desktop2menu.pl
> index f97551d..92c99f8 100755
> --- a/scripts/desktop2menu.pl
> +++ b/scripts/desktop2menu.pl
> @@ -64,6 +64,7 @@ use File::Basename;
> my $progname = basename($0);
>
> BEGIN {
> + pop @INC if $INC[-1] eq '.';
> # Load the File::DesktopEntry module safely
> eval { require File::DesktopEntry; };
> if ($@) {
I'm curious why only this script was changed. From a quick search, it
looks like there are at least a few more that should be changed, if I
understand the problem properly.
$ ag --perl '\{ require'
scripts/desktop2menu.pl:68: eval { require File::DesktopEntry; };
scripts/dcontrol.pl:28: eval { require URI::Escape; };
scripts/dcontrol.pl:37: eval { require LWP::UserAgent; };
scripts/plotchangelog.pl:35: eval { require Date::Parse; import Date::Parse (); };
scripts/dscverify.pl:36: eval { require Digest::MD5; };
scripts/rmadison.pl:27: eval { require URI::Escape; };
scripts/uscan.pl:40: eval { require LWP::UserAgent; };
scripts/uscan.pl:59:eval { require LWP::Protocol::https; };
scripts/grep-excuses.pl:32: eval { require Term::Size; };
There are likely a few more not caught by this search, too.
Cheers,
--
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20160725/72b85760/attachment.sig>
More information about the devscripts-devel
mailing list