[libconfig-model-perl] 02/04: add patch to remove '.' in @INC emulation (CVE-2017-0374)
dod at debian.org
dod at debian.org
Sun May 14 17:20:36 UTC 2017
This is an automated email from the git hooks/post-receive script.
dod pushed a commit to branch stretch
in repository libconfig-model-perl.
commit 0de8471e5a8958ad37446dfcd0362a269e3ec573
Author: Dominique Dumont <dod at debian.org>
Date: Wed May 10 11:54:59 2017 +0200
add patch to remove '.' in @INC emulation (CVE-2017-0374)
---
debian/patches/remove-inc-dot-emulation | 47 +++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 48 insertions(+)
diff --git a/debian/patches/remove-inc-dot-emulation b/debian/patches/remove-inc-dot-emulation
new file mode 100644
index 0000000..f92e116
--- /dev/null
+++ b/debian/patches/remove-inc-dot-emulation
@@ -0,0 +1,47 @@
+Description: Remove inc dot emulation
+ Using '.' in @INC while loading models and model snippts allows to
+ run arbitrary code by specially crafted models placed in the current
+ working directory (as an aftermath of the fixes for the removal of
+ '.' in @INC in perl).
+.
+ This patch removes the search in '.' and fixes the collateral
+ damage. Note that tests must be run with PERL5LIB=. variable so model
+ files can be searched in '.' only during tests.
+Bug: https://security-tracker.debian.org/tracker/CVE-2017-0374
+Author: Dominique Dumont <dod at debian.org>
+Origin: upstream
+Applied-Upstream: v2.102
+--- a/lib/Config/Model.pm
++++ b/lib/Config/Model.pm
+@@ -1198,7 +1198,7 @@
+ # look for additional model information
+ my %model_graft_by_name;
+ my %done; # avoid loading twice the same snippet (where system version may clobber dev version)
+- foreach my $inc (@INC,'.') {
++ foreach my $inc (@INC) {
+ foreach my $name ( keys %models_by_name ) {
+ my $snippet_path = $name;
+ $snippet_path =~ s/::/\//g;
+@@ -1206,6 +1206,13 @@
+ get_logger("Model::Loader")->trace("looking for snippet in $snippet_dir");
+ if ( -d $snippet_dir ) {
+ foreach my $snippet_file ( glob("$snippet_dir/*.pl") ) {
++
++ # $snippet_file is constructed from @INC content
++ # (i.e. $inc). Since _load_model_in_hash uses 'do'
++ # (which searches in @INC), the file path passed
++ # to _load_model_in_hash must be relative to $inc.
++ $snippet_file = substr $snippet_file, length($inc) + 1;
++
+ my $done_key = $name . ':' . $snippet_file;
+ next if $done{$done_key};
+ get_logger("Model::Loader")->info("Found snippet $snippet_file");
+@@ -1260,7 +1267,7 @@
+ get_logger("Model::Loader")->info("load model $load_file");
+
+ my $err_msg = '';
+- $load_file = "./$load_file" if $load_file !~ m!^/! and -e $load_file ;
++ # do searches @INC if the file path is not absolute
+ my $model = do $load_file;
+
+ unless ($model) {
diff --git a/debian/patches/series b/debian/patches/series
index bbfef60..2650334 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
#fix-cryptic-message
fix-debci
remove-use-lib
+remove-inc-dot-emulation
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libconfig-model-perl.git
More information about the Pkg-perl-cvs-commits
mailing list