From 8cfc4916736280dd76655fdef5b78331bfac414d Mon Sep 17 00:00:00 2001 From: Tony Cook Date: Wed, 27 Jul 2016 14:04:59 +1000 Subject: [PATCH] CVE-2016-1238: prevent loading optional modules from default . Digest attempts to load Digest::SHA, only failing if Digest::SHA2 is also unavailable. If a system has Digest installed, but not Digest::SHA, and a user attempts to run a program using Digest with SHA-256 from a world writable directory such as /tmp and since perl adds "." to the end of @INC an attacker can run code as the original user by creating /tmp/Digest/SHA.pm. The change temporarily removes the default "." entry from the end of @INC preventing that attack. --- Digest.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Digest.pm b/Digest.pm index 2ae6eec..c75649f 100644 --- a/Digest.pm +++ b/Digest.pm @@ -42,7 +42,11 @@ sub new unless (exists ${"$class\::"}{"VERSION"}) { my $pm_file = $class . ".pm"; $pm_file =~ s{::}{/}g; - eval { require $pm_file }; + eval { + local @INC = @INC; + pop @INC if $INC[-1] eq '.'; + require $pm_file; + }; if ($@) { $err ||= $@; next; -- 2.1.4