From 61ec1137c515fa41f376540d6fa99210786c79c2 Mon Sep 17 00:00:00 2001 From: Tony Cook Date: Tue, 21 Jun 2016 10:02:02 +1000 Subject: (perl #127834) remove . from the end of @INC if complex modules are loaded While currently Encode and Storable are know to attempt to load modules not included in the core, updates to other modules may lead to those also attempting to load new modules, so be safe and remove . for those as well. (Backported to 5.20.2 by Niko Tyni ) Origin: backport Bug: https://rt.perl.org/Public/Bug/Display.html?id=127834 Patch-Name: fixes/CVE-2016-1238/remove-dot-when-loading.diff --- cpan/Archive-Tar/bin/ptar | 1 + cpan/Archive-Tar/bin/ptardiff | 1 + cpan/Archive-Tar/bin/ptargrep | 1 + cpan/CPAN/scripts/cpan | 1 + cpan/Digest-SHA/shasum | 1 + cpan/Encode/bin/enc2xs | 1 + cpan/Encode/bin/piconv | 1 + cpan/Encode/bin/ucmlint | 1 + cpan/Encode/bin/unidump | 1 + cpan/ExtUtils-MakeMaker/bin/instmodsh | 1 + cpan/IO-Compress/bin/zipdetails | 1 + cpan/JSON-PP/bin/json_pp | 1 + cpan/Test-Harness/bin/prove | 1 + dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp | 1 + dist/Module-CoreList/corelist | 1 + ext/Pod-Html/bin/pod2html | 1 + utils/c2ph.PL | 1 + utils/h2ph.PL | 2 ++ utils/h2xs.PL | 2 ++ utils/libnetcfg.PL | 1 + utils/perlbug.PL | 1 + utils/perldoc.PL | 5 ++++- utils/perlivp.PL | 2 ++ utils/splain.PL | 6 ++++++ 24 files changed, 35 insertions(+), 1 deletion(-) diff --git a/cpan/Archive-Tar/bin/ptar b/cpan/Archive-Tar/bin/ptar index 0eaffa7ccb..9dc6402c66 100644 --- a/cpan/Archive-Tar/bin/ptar +++ b/cpan/Archive-Tar/bin/ptar @@ -1,6 +1,7 @@ #!/usr/bin/perl use strict; +BEGIN { pop @INC if $INC[-1] eq '.' } use File::Find; use Getopt::Std; use Archive::Tar; diff --git a/cpan/Archive-Tar/bin/ptardiff b/cpan/Archive-Tar/bin/ptardiff index 5205d63c3f..c119dfa169 100644 --- a/cpan/Archive-Tar/bin/ptardiff +++ b/cpan/Archive-Tar/bin/ptardiff @@ -1,5 +1,6 @@ #!/usr/bin/perl +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use Archive::Tar; use Getopt::Std; diff --git a/cpan/Archive-Tar/bin/ptargrep b/cpan/Archive-Tar/bin/ptargrep index 0367d849d7..30ebf65a63 100644 --- a/cpan/Archive-Tar/bin/ptargrep +++ b/cpan/Archive-Tar/bin/ptargrep @@ -4,6 +4,7 @@ # archive. See 'ptargrep --help' for more documentation. # +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use warnings; diff --git a/cpan/CPAN/scripts/cpan b/cpan/CPAN/scripts/cpan index 3b4a5b5067..664adcb3a4 100644 --- a/cpan/CPAN/scripts/cpan +++ b/cpan/CPAN/scripts/cpan @@ -1,5 +1,6 @@ #!/usr/local/bin/perl +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use vars qw($VERSION); diff --git a/cpan/Digest-SHA/shasum b/cpan/Digest-SHA/shasum index 32b71733bf..3f2321469c 100644 --- a/cpan/Digest-SHA/shasum +++ b/cpan/Digest-SHA/shasum @@ -94,6 +94,7 @@ L. END_OF_POD +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use Fcntl; use Getopt::Long; diff --git a/cpan/Encode/bin/enc2xs b/cpan/Encode/bin/enc2xs index a9af54f708..1e37efc3f8 100644 --- a/cpan/Encode/bin/enc2xs +++ b/cpan/Encode/bin/enc2xs @@ -4,6 +4,7 @@ BEGIN { # with $ENV{PERL_CORE} set # In case we need it in future... require Config; import Config; + pop @INC if $INC[-1] eq '.'; } use strict; use warnings; diff --git a/cpan/Encode/bin/piconv b/cpan/Encode/bin/piconv index 669304b68c..f041503a13 100644 --- a/cpan/Encode/bin/piconv +++ b/cpan/Encode/bin/piconv @@ -1,6 +1,7 @@ #!./perl # $Id: piconv,v 2.6 2014/03/28 02:37:42 dankogai Exp $ # +BEGIN { pop @INC if $INC[-1] eq '.' } use 5.8.0; use strict; use Encode ; diff --git a/cpan/Encode/bin/ucmlint b/cpan/Encode/bin/ucmlint index 622376d885..25e0d67ef6 100644 --- a/cpan/Encode/bin/ucmlint +++ b/cpan/Encode/bin/ucmlint @@ -3,6 +3,7 @@ # $Id: ucmlint,v 2.2 2008/03/12 09:51:11 dankogai Exp $ # +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; our $VERSION = do { my @r = (q$Revision: 2.2 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r }; diff --git a/cpan/Encode/bin/unidump b/cpan/Encode/bin/unidump index ae0da30852..f19082744f 100644 --- a/cpan/Encode/bin/unidump +++ b/cpan/Encode/bin/unidump @@ -1,5 +1,6 @@ #!./perl +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use Encode; use Getopt::Std; diff --git a/cpan/ExtUtils-MakeMaker/bin/instmodsh b/cpan/ExtUtils-MakeMaker/bin/instmodsh index e551434802..b3b109f475 100644 --- a/cpan/ExtUtils-MakeMaker/bin/instmodsh +++ b/cpan/ExtUtils-MakeMaker/bin/instmodsh @@ -1,5 +1,6 @@ #!/usr/bin/perl -w +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use IO::File; use ExtUtils::Packlist; diff --git a/cpan/IO-Compress/bin/zipdetails b/cpan/IO-Compress/bin/zipdetails index 0249850457..1b9c70a8f4 100644 --- a/cpan/IO-Compress/bin/zipdetails +++ b/cpan/IO-Compress/bin/zipdetails @@ -5,6 +5,7 @@ # Display info on the contents of a Zip file # +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use warnings ; diff --git a/cpan/JSON-PP/bin/json_pp b/cpan/JSON-PP/bin/json_pp index df9d243eba..896cd2f368 100644 --- a/cpan/JSON-PP/bin/json_pp +++ b/cpan/JSON-PP/bin/json_pp @@ -1,5 +1,6 @@ #!/usr/bin/perl +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use Getopt::Long; diff --git a/cpan/Test-Harness/bin/prove b/cpan/Test-Harness/bin/prove index 968fa7311d..4ce8c9119b 100644 --- a/cpan/Test-Harness/bin/prove +++ b/cpan/Test-Harness/bin/prove @@ -1,5 +1,6 @@ #!/usr/bin/perl -w +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use warnings; use App::Prove; diff --git a/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp b/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp index e2ac71a323..d596cdff42 100644 --- a/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp +++ b/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp @@ -1,5 +1,6 @@ #!perl use 5.006; +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; eval { require ExtUtils::ParseXS; diff --git a/dist/Module-CoreList/corelist b/dist/Module-CoreList/corelist index aa4a94571a..bbe61ccee4 100644 --- a/dist/Module-CoreList/corelist +++ b/dist/Module-CoreList/corelist @@ -130,6 +130,7 @@ requested perl versions. =cut +BEGIN { pop @INC if $INC[-1] eq '.' } use Module::CoreList; use Getopt::Long qw(:config no_ignore_case); use Pod::Usage; diff --git a/ext/Pod-Html/bin/pod2html b/ext/Pod-Html/bin/pod2html index b022859190..7d1d23268b 100644 --- a/ext/Pod-Html/bin/pod2html +++ b/ext/Pod-Html/bin/pod2html @@ -216,6 +216,7 @@ This program is distributed under the Artistic License. =cut +BEGIN { pop @INC if $INC[-1] eq '.' } use Pod::Html; pod2html @ARGV; diff --git a/utils/c2ph.PL b/utils/c2ph.PL index 13389ec075..cef0b5cf38 100644 --- a/utils/c2ph.PL +++ b/utils/c2ph.PL @@ -280,6 +280,7 @@ Anyway, here it is. Should run on perl v4 or greater. Maybe less. $RCSID = '$Id: c2ph,v 1.7 95/10/28 10:41:47 tchrist Exp Locker: tchrist $'; +BEGIN { pop @INC if $INC[-1] eq '.' } use File::Temp; ###################################################################### diff --git a/utils/h2ph.PL b/utils/h2ph.PL index d082f22723..2523c0a654 100644 --- a/utils/h2ph.PL +++ b/utils/h2ph.PL @@ -36,6 +36,8 @@ $Config{startperl} print OUT <<'!NO!SUBS!'; +BEGIN { pop @INC if $INC[-1] eq '.' } + use strict; use Config; diff --git a/utils/h2xs.PL b/utils/h2xs.PL index 4cb0943742..8fda87b0a7 100644 --- a/utils/h2xs.PL +++ b/utils/h2xs.PL @@ -35,6 +35,8 @@ $Config{startperl} print OUT <<'!NO!SUBS!'; +BEGIN { pop @INC if $INC[-1] eq '.' } + use warnings; =head1 NAME diff --git a/utils/libnetcfg.PL b/utils/libnetcfg.PL index 59a2de87c8..26d2f995a9 100644 --- a/utils/libnetcfg.PL +++ b/utils/libnetcfg.PL @@ -97,6 +97,7 @@ Jarkko Hietaniemi, conversion into libnetcfg for inclusion into Perl 5.8. # $Id: Configure,v 1.8 1997/03/04 09:22:32 gbarr Exp $ +BEGIN { pop @INC if $INC[-1] eq '.' } use strict; use IO::File; use Getopt::Std; diff --git a/utils/perlbug.PL b/utils/perlbug.PL index 885785ae00..ae8c343052 100644 --- a/utils/perlbug.PL +++ b/utils/perlbug.PL @@ -57,6 +57,7 @@ print OUT <<'!NO!SUBS!'; my @patches = Config::local_patches(); my $patch_tags = join "", map /(\S+)/ ? "+$1 " : (), @patches; +BEGIN { pop @INC if $INC[-1] eq '.' } use warnings; use strict; use Config; diff --git a/utils/perldoc.PL b/utils/perldoc.PL index e201de9d91..cd60bd4354 100644 --- a/utils/perldoc.PL +++ b/utils/perldoc.PL @@ -44,7 +44,10 @@ $Config{startperl} # This "$file" file was generated by "$0" require 5; -BEGIN { \$^W = 1 if \$ENV{'PERLDOCDEBUG'} } +BEGIN { + \$^W = 1 if \$ENV{'PERLDOCDEBUG'}; + pop \@INC if \$INC[-1] eq '.'; +} use Pod::Perldoc; exit( Pod::Perldoc->run() ); diff --git a/utils/perlivp.PL b/utils/perlivp.PL index cc49f964ba..696a44e0fe 100644 --- a/utils/perlivp.PL +++ b/utils/perlivp.PL @@ -39,6 +39,8 @@ print OUT "\n# perlivp $^V\n"; print OUT <<'!NO!SUBS!'; +BEGIN { pop @INC if $INC[-1] eq '.' } + sub usage { warn "@_\n" if @_; print << " EOUSAGE"; diff --git a/utils/splain.PL b/utils/splain.PL index 9c70b61afd..cae84a0d38 100644 --- a/utils/splain.PL +++ b/utils/splain.PL @@ -38,6 +38,12 @@ $Config{startperl} if \$running_under_some_shell; !GROK!THIS! +print <<'!NO!SUBS!'; + +BEGIN { pop @INC if $INC[-1] eq '.' } + +!NO!SUBS! + while () { print OUT unless /^package diagnostics/; }