[libmime-charset-perl] 01/04: Remove . from @INC when loading modules dynamically [CVE-2016-1238]

Salvatore Bonaccorso carnil at debian.org
Mon Jul 25 17:28:56 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch master
in repository libmime-charset-perl.

commit e1f8204626bb0002cab290b7953db1e236ca0bdf
Author: Dominic Hargreaves <dom at earth.li>
Date:   Sun Jul 24 20:08:14 2016 +0100

    Remove . from @INC when loading modules dynamically [CVE-2016-1238]
---
 debian/changelog                   |  3 +++
 debian/patches/CVE-2016-1238.patch | 26 ++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 30 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index c441009..3b30bba 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,9 @@ libmime-charset-perl (1.012-2) UNRELEASED; urgency=medium
   [ gregor herrmann ]
   * debian/copyright: change Copyright-Format 1.0 URL to HTTPS.
 
+  [ Salvatore Bonaccorso ]
+  * Remove . from @INC when loading modules dynamically [CVE-2016-1238]
+
  -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 30 Jan 2016 20:05:22 +0100
 
 libmime-charset-perl (1.012-1) unstable; urgency=medium
diff --git a/debian/patches/CVE-2016-1238.patch b/debian/patches/CVE-2016-1238.patch
new file mode 100644
index 0000000..3cfa68b
--- /dev/null
+++ b/debian/patches/CVE-2016-1238.patch
@@ -0,0 +1,26 @@
+From 327106167f69bd629988f0926e5a3a56574ff40a Mon Sep 17 00:00:00 2001
+From: Dominic Hargreaves <dom at earth.li>
+Date: Sun, 24 Jul 2016 20:06:29 +0100
+Subject: [PATCH] Remove . from @INC when loading modules dynamically
+ [CVE-2016-1238]
+
+---
+ lib/MIME/Charset.pm | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/MIME/Charset.pm b/lib/MIME/Charset.pm
+index 844bce6..948c2e3 100644
+--- a/lib/MIME/Charset.pm
++++ b/lib/MIME/Charset.pm
+@@ -345,6 +345,8 @@ $Config = {
+     Mapping =>         'EXTENDED',
+     Replacement =>     'DEFAULT',
+ };
++local @INC = @INC;
++pop @INC if $INC[-1] eq '.';
+ eval { require MIME::Charset::Defaults; };
+ 
+ ######## Private Constants ########
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..34520df
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2016-1238.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libmime-charset-perl.git

More information about the Pkg-perl-cvs-commits mailing list