[libconfig-model-perl] 02/04: add patch to remove '.' in @INC emulation (CVE-2017-0374)

Sun May 14 17:20:36 UTC 2017

This is an automated email from the git hooks/post-receive script.

dod pushed a commit to branch stretch
in repository libconfig-model-perl.

commit 0de8471e5a8958ad37446dfcd0362a269e3ec573
Author: Dominique Dumont <dod at debian.org>
Date:   Wed May 10 11:54:59 2017 +0200

    add patch to remove '.' in @INC emulation (CVE-2017-0374)
---
 debian/patches/remove-inc-dot-emulation | 47 +++++++++++++++++++++++++++++++++
 debian/patches/series                   |  1 +
 2 files changed, 48 insertions(+)

diff --git a/debian/patches/remove-inc-dot-emulation b/debian/patches/remove-inc-dot-emulation
new file mode 100644
index 0000000..f92e116
--- /dev/null
+++ b/debian/patches/remove-inc-dot-emulation
@@ -0,0 +1,47 @@
+Description: Remove inc dot emulation
+ Using '.' in @INC while loading models and model snippts allows to
+ run arbitrary code by specially crafted models placed in the current
+ working directory (as an aftermath of the fixes for the removal of
+ '.' in @INC in perl).
+.
+ This patch removes the search in '.' and fixes the collateral
+ damage. Note that tests must be run with PERL5LIB=. variable so model
+ files can be searched in '.' only during tests.
+Bug: https://security-tracker.debian.org/tracker/CVE-2017-0374
+Author: Dominique Dumont <dod at debian.org>
+Origin: upstream
+Applied-Upstream: v2.102
+--- a/lib/Config/Model.pm
++++ b/lib/Config/Model.pm
+@@ -1198,7 +1198,7 @@
+     # look for additional model information
+     my %model_graft_by_name;
+     my %done;  # avoid loading twice the same snippet (where system version may clobber dev version)
+-    foreach my $inc (@INC,'.') {
++    foreach my $inc (@INC) {
+         foreach my $name ( keys %models_by_name ) {
+             my $snippet_path = $name;
+             $snippet_path =~ s/::/\//g;
+@@ -1206,6 +1206,13 @@
+             get_logger("Model::Loader")->trace("looking for snippet in $snippet_dir");
+             if ( -d $snippet_dir ) {
+                 foreach my $snippet_file ( glob("$snippet_dir/*.pl") ) {
++
++                    # $snippet_file is constructed from @INC content
++                    # (i.e. $inc). Since _load_model_in_hash uses 'do'
++                    # (which searches in @INC), the file path passed
++                    # to _load_model_in_hash must be relative to $inc.
++                    $snippet_file = substr $snippet_file, length($inc) + 1;
++
+                     my $done_key = $name . ':' . $snippet_file;
+                     next if $done{$done_key};
+                     get_logger("Model::Loader")->info("Found snippet $snippet_file");
+@@ -1260,7 +1267,7 @@
+     get_logger("Model::Loader")->info("load model $load_file");
+ 
+     my $err_msg = '';
+-    $load_file = "./$load_file" if $load_file !~ m!^/! and -e $load_file ;
++    # do searches @INC if the file path is not absolute
+     my $model   = do $load_file;
+ 
+     unless ($model) {
diff --git a/debian/patches/series b/debian/patches/series
index bbfef60..2650334 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 #fix-cryptic-message
 fix-debci
 remove-use-lib
+remove-inc-dot-emulation

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libconfig-model-perl.git

