Blob Blame History Raw
From 8cfc4916736280dd76655fdef5b78331bfac414d Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 27 Jul 2016 14:04:59 +1000
Subject: [PATCH] CVE-2016-1238: prevent loading optional modules from default
 .

Digest attempts to load Digest::SHA, only failing if Digest::SHA2
is also unavailable.

If a system has Digest installed, but not Digest::SHA, and a user
attempts to run a program using Digest with SHA-256 from a world
writable directory such as /tmp and since perl adds "." to the end
of @INC an attacker can run code as the original user by creating
/tmp/Digest/SHA.pm.

The change temporarily removes the default "." entry from the end of
@INC preventing that attack.
---
 Digest.pm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Digest.pm b/Digest.pm
index 2ae6eec..c75649f 100644
--- a/Digest.pm
+++ b/Digest.pm
@@ -42,7 +42,11 @@ sub new
         unless (exists ${"$class\::"}{"VERSION"}) {
             my $pm_file = $class . ".pm";
             $pm_file =~ s{::}{/}g;
-            eval { require $pm_file };
+            eval {
+                local @INC = @INC;
+                pop @INC if $INC[-1] eq '.';
+                require $pm_file;
+            };
             if ($@) {
                 $err ||= $@;
                 next;
-- 
2.1.4