Blame SOURCES/Test-Harness-3.36-CVE-2016-1238-avoid-loading-optional-modules-from.patch

60fa2a
From 59697efbfe58a2a9c2cc2aba11eca2acb64b27a8 Mon Sep 17 00:00:00 2001
60fa2a
From: Tony Cook <tony@develop-help.com>
60fa2a
Date: Thu, 28 Jul 2016 14:18:12 +1000
60fa2a
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
60fa2a
60fa2a
App::Prove (and hence prove) attempts to load plugins under both
60fa2a
the App::Prove::Plugin namespace and under the base namespace.
60fa2a
60fa2a
If a plugin is only available under the base namespace, and a user runs
60fa2a
prove from a world-writable directory such as /tmp, an attacker can
60fa2a
App/Prove/Plugin/PluginName.pm to run code as the user running prove.
60fa2a
---
60fa2a
 bin/prove | 1 +
60fa2a
 1 file changed, 1 insertion(+)
60fa2a
60fa2a
diff --git a/bin/prove b/bin/prove
60fa2a
index 6637cc4..d71b238 100755
60fa2a
--- a/bin/prove
60fa2a
+++ b/bin/prove
60fa2a
@@ -1,5 +1,6 @@
60fa2a
 #!/usr/bin/perl -w
60fa2a
 
60fa2a
+BEGIN { pop @INC if $INC[-1] eq '.' }
60fa2a
 use strict;
60fa2a
 use warnings;
60fa2a
 use App::Prove;
60fa2a
-- 
60fa2a
2.1.4
60fa2a