aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMingli Yu <Mingli.Yu@windriver.com>2016-09-26 14:00:42 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-10-06 08:47:59 +0100
commit39ef8e22b52d3f5daa853aa7866145e9c5469d4b (patch)
treed4fe0d97c298fa2bb4bb2e36253b1ec86c141417
parentd0451b2ed92867a0a2c37baded45cff997739153 (diff)
downloadopenembedded-core-contrib-39ef8e22b52d3f5daa853aa7866145e9c5469d4b.tar.gz
perl: fix CVE-2016-1238
Backport patch to fix CVE-2016-1238 from perl upstream: http://perl5.git.perl.org/perl.git/commitdiff/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab (From OE-Core rev: 7d06ffcbcd0c71dc6dc9efde02bf0cd8d7c7d7e3) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Fixed up to apply to 5.20.0 Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch352
-rw-r--r--meta/recipes-devtools/perl/perl_5.22.0.bb1
2 files changed, 353 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch
new file mode 100644
index 0000000000..730ef178ad
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch
@@ -0,0 +1,352 @@
+From 9987be3d24286d96d9dccec0433253ee8ad894b4 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 21 Jun 2016 10:02:02 +1000
+Subject: [PATCH] perl: fix CVE-2016-1238
+
+(perl #127834) remove . from the end of @INC if complex modules are loaded
+
+While currently Encode and Storable are know to attempt to load modules
+not included in the core, updates to other modules may lead to those
+also attempting to load new modules, so be safe and remove . for those
+as well.
+
+Backport patch from http://perl5.git.perl.org/perl.git/commitdiff/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab
+
+Upstream-Status: Backport
+CVE: CVE-2016-1238
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ cpan/Archive-Tar/bin/ptar | 1 +
+ cpan/Archive-Tar/bin/ptardiff | 1 +
+ cpan/Archive-Tar/bin/ptargrep | 1 +
+ cpan/CPAN/scripts/cpan | 1 +
+ cpan/Digest-SHA/shasum | 1 +
+ cpan/Encode/bin/enc2xs | 1 +
+ cpan/Encode/bin/encguess | 1 +
+ cpan/Encode/bin/piconv | 1 +
+ cpan/Encode/bin/ucmlint | 1 +
+ cpan/Encode/bin/unidump | 1 +
+ cpan/ExtUtils-MakeMaker/bin/instmodsh | 1 +
+ cpan/IO-Compress/bin/zipdetails | 1 +
+ cpan/JSON-PP/bin/json_pp | 1 +
+ cpan/Test-Harness/bin/prove | 1 +
+ dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp | 1 +
+ dist/Module-CoreList/corelist | 1 +
+ ext/Pod-Html/bin/pod2html | 1 +
+ utils/c2ph.PL | 1 +
+ utils/h2ph.PL | 2 ++
+ utils/h2xs.PL | 2 ++
+ utils/libnetcfg.PL | 1 +
+ utils/perlbug.PL | 1 +
+ utils/perldoc.PL | 5 ++++-
+ utils/perlivp.PL | 2 ++
+ utils/splain.PL | 6 ++++++
+ 25 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/cpan/Archive-Tar/bin/ptar b/cpan/Archive-Tar/bin/ptar
+index 0eaffa7..9dc6402 100644
+--- a/cpan/Archive-Tar/bin/ptar
++++ b/cpan/Archive-Tar/bin/ptar
+@@ -1,6 +1,7 @@
+ #!/usr/bin/perl
+ use strict;
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use File::Find;
+ use Getopt::Std;
+ use Archive::Tar;
+diff --git a/cpan/Archive-Tar/bin/ptardiff b/cpan/Archive-Tar/bin/ptardiff
+index 66bd859..4668fa6 100644
+--- a/cpan/Archive-Tar/bin/ptardiff
++++ b/cpan/Archive-Tar/bin/ptardiff
+@@ -1,5 +1,6 @@
+ #!/usr/bin/perl
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use Archive::Tar;
+ use Getopt::Std;
+diff --git a/cpan/Archive-Tar/bin/ptargrep b/cpan/Archive-Tar/bin/ptargrep
+index 1a320f1..8dc6b4f 100644
+--- a/cpan/Archive-Tar/bin/ptargrep
++++ b/cpan/Archive-Tar/bin/ptargrep
+@@ -4,6 +4,7 @@
+ # archive. See 'ptargrep --help' for more documentation.
+ #
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use warnings;
+
+diff --git a/cpan/CPAN/scripts/cpan b/cpan/CPAN/scripts/cpan
+index 5f4320e..ccba47e 100644
+--- a/cpan/CPAN/scripts/cpan
++++ b/cpan/CPAN/scripts/cpan
+@@ -1,5 +1,6 @@
+ #!/usr/local/bin/perl
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use vars qw($VERSION);
+
+diff --git a/cpan/Digest-SHA/shasum b/cpan/Digest-SHA/shasum
+index 14ddd60..62a2b0e 100644
+--- a/cpan/Digest-SHA/shasum
++++ b/cpan/Digest-SHA/shasum
+@@ -13,6 +13,7 @@
+ ## "-0" option for reading bit strings, and
+ ## "-p" option for portable digests (to be deprecated).
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use warnings;
+ use Fcntl;
+diff --git a/cpan/Encode/bin/enc2xs b/cpan/Encode/bin/enc2xs
+index 4d64e38..473a15c 100644
+--- a/cpan/Encode/bin/enc2xs
++++ b/cpan/Encode/bin/enc2xs
+@@ -4,6 +4,7 @@ BEGIN {
+ # with $ENV{PERL_CORE} set
+ # In case we need it in future...
+ require Config; import Config;
++ pop @INC if $INC[-1] eq '.';
+ }
+ use strict;
+ use warnings;
+diff --git a/cpan/Encode/bin/encguess b/cpan/Encode/bin/encguess
+index 5d7ac80..0be5c7c 100644
+--- a/cpan/Encode/bin/encguess
++++ b/cpan/Encode/bin/encguess
+@@ -1,5 +1,6 @@
+ #!./perl
+ use 5.008001;
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use warnings;
+ use Encode;
+diff --git a/cpan/Encode/bin/piconv b/cpan/Encode/bin/piconv
+index c1dad9e..60b2a59 100644
+--- a/cpan/Encode/bin/piconv
++++ b/cpan/Encode/bin/piconv
+@@ -1,6 +1,7 @@
+ #!./perl
+ # $Id: piconv,v 2.7 2014/05/31 09:48:48 dankogai Exp $
+ #
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use 5.8.0;
+ use strict;
+ use Encode ;
+diff --git a/cpan/Encode/bin/ucmlint b/cpan/Encode/bin/ucmlint
+index 622376d..25e0d67 100644
+--- a/cpan/Encode/bin/ucmlint
++++ b/cpan/Encode/bin/ucmlint
+@@ -3,6 +3,7 @@
+ # $Id: ucmlint,v 2.2 2008/03/12 09:51:11 dankogai Exp $
+ #
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ our $VERSION = do { my @r = (q$Revision: 2.2 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r };
+
+diff --git a/cpan/Encode/bin/unidump b/cpan/Encode/bin/unidump
+index ae0da30..f190827 100644
+--- a/cpan/Encode/bin/unidump
++++ b/cpan/Encode/bin/unidump
+@@ -1,5 +1,6 @@
+ #!./perl
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use Encode;
+ use Getopt::Std;
+diff --git a/cpan/ExtUtils-MakeMaker/bin/instmodsh b/cpan/ExtUtils-MakeMaker/bin/instmodsh
+index e551434..b3b109f 100644
+--- a/cpan/ExtUtils-MakeMaker/bin/instmodsh
++++ b/cpan/ExtUtils-MakeMaker/bin/instmodsh
+@@ -1,5 +1,6 @@
+ #!/usr/bin/perl -w
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use IO::File;
+ use ExtUtils::Packlist;
+diff --git a/cpan/IO-Compress/bin/zipdetails b/cpan/IO-Compress/bin/zipdetails
+index 0249850..1b9c70a 100644
+--- a/cpan/IO-Compress/bin/zipdetails
++++ b/cpan/IO-Compress/bin/zipdetails
+@@ -5,6 +5,7 @@
+ # Display info on the contents of a Zip file
+ #
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use warnings ;
+
+diff --git a/cpan/JSON-PP/bin/json_pp b/cpan/JSON-PP/bin/json_pp
+index df9d243..896cd2f 100644
+--- a/cpan/JSON-PP/bin/json_pp
++++ b/cpan/JSON-PP/bin/json_pp
+@@ -1,5 +1,6 @@
+ #!/usr/bin/perl
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use Getopt::Long;
+
+diff --git a/cpan/Test-Harness/bin/prove b/cpan/Test-Harness/bin/prove
+index 6637cc4..d71b238 100644
+--- a/cpan/Test-Harness/bin/prove
++++ b/cpan/Test-Harness/bin/prove
+@@ -1,5 +1,6 @@
+ #!/usr/bin/perl -w
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use warnings;
+ use App::Prove;
+diff --git a/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp b/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp
+index e2ac71a..d596cdf 100644
+--- a/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp
++++ b/dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp
+@@ -1,5 +1,6 @@
+ #!perl
+ use 5.006;
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ eval {
+ require ExtUtils::ParseXS;
+diff --git a/dist/Module-CoreList/corelist b/dist/Module-CoreList/corelist
+index aa4a945..bbe61cc 100644
+--- a/dist/Module-CoreList/corelist
++++ b/dist/Module-CoreList/corelist
+@@ -130,6 +130,7 @@ requested perl versions.
+
+ =cut
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use Module::CoreList;
+ use Getopt::Long qw(:config no_ignore_case);
+ use Pod::Usage;
+diff --git a/ext/Pod-Html/bin/pod2html b/ext/Pod-Html/bin/pod2html
+index b022859..7d1d232 100644
+--- a/ext/Pod-Html/bin/pod2html
++++ b/ext/Pod-Html/bin/pod2html
+@@ -216,6 +216,7 @@ This program is distributed under the Artistic License.
+
+ =cut
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use Pod::Html;
+
+ pod2html @ARGV;
+diff --git a/utils/c2ph.PL b/utils/c2ph.PL
+index 13389ec..cef0b5c 100644
+--- a/utils/c2ph.PL
++++ b/utils/c2ph.PL
+@@ -280,6 +280,7 @@ Anyway, here it is. Should run on perl v4 or greater. Maybe less.
+
+ $RCSID = '$Id: c2ph,v 1.7 95/10/28 10:41:47 tchrist Exp Locker: tchrist $';
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use File::Temp;
+
+ ######################################################################
+diff --git a/utils/h2ph.PL b/utils/h2ph.PL
+index 55c1f72..300b756 100644
+--- a/utils/h2ph.PL
++++ b/utils/h2ph.PL
+@@ -36,6 +36,8 @@ $Config{startperl}
+
+ print OUT <<'!NO!SUBS!';
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
++
+ use strict;
+
+ use Config;
+diff --git a/utils/h2xs.PL b/utils/h2xs.PL
+index 268f680..f95ee0c 100644
+--- a/utils/h2xs.PL
++++ b/utils/h2xs.PL
+@@ -35,6 +35,8 @@ $Config{startperl}
+
+ print OUT <<'!NO!SUBS!';
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
++
+ use warnings;
+
+ =head1 NAME
+diff --git a/utils/libnetcfg.PL b/utils/libnetcfg.PL
+index 59a2de8..26d2f99 100644
+--- a/utils/libnetcfg.PL
++++ b/utils/libnetcfg.PL
+@@ -97,6 +97,7 @@ Jarkko Hietaniemi, conversion into libnetcfg for inclusion into Perl 5.8.
+
+ # $Id: Configure,v 1.8 1997/03/04 09:22:32 gbarr Exp $
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use strict;
+ use IO::File;
+ use Getopt::Std;
+diff --git a/utils/perlbug.PL b/utils/perlbug.PL
+index 885785a..ae8c343 100644
+--- a/utils/perlbug.PL
++++ b/utils/perlbug.PL
+@@ -57,6 +57,7 @@ print OUT <<'!NO!SUBS!';
+ my @patches = Config::local_patches();
+ my $patch_tags = join "", map /(\S+)/ ? "+$1 " : (), @patches;
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
+ use warnings;
+ use strict;
+ use Config;
+diff --git a/utils/perldoc.PL b/utils/perldoc.PL
+index e201de9..cd60bd4 100644
+--- a/utils/perldoc.PL
++++ b/utils/perldoc.PL
+@@ -44,7 +44,10 @@ $Config{startperl}
+ # This "$file" file was generated by "$0"
+
+ require 5;
+-BEGIN { \$^W = 1 if \$ENV{'PERLDOCDEBUG'} }
++BEGIN {
++ \$^W = 1 if \$ENV{'PERLDOCDEBUG'};
++ pop \@INC if \$INC[-1] eq '.';
++}
+ use Pod::Perldoc;
+ exit( Pod::Perldoc->run() );
+
+diff --git a/utils/perlivp.PL b/utils/perlivp.PL
+index cc49f96..696a44e 100644
+--- a/utils/perlivp.PL
++++ b/utils/perlivp.PL
+@@ -39,6 +39,8 @@ print OUT "\n# perlivp $^V\n";
+
+ print OUT <<'!NO!SUBS!';
+
++BEGIN { pop @INC if $INC[-1] eq '.' }
++
+ sub usage {
+ warn "@_\n" if @_;
+ print << " EOUSAGE";
+diff --git a/utils/splain.PL b/utils/splain.PL
+index 9c70b61..cae84a0 100644
+--- a/utils/splain.PL
++++ b/utils/splain.PL
+@@ -38,6 +38,12 @@ $Config{startperl}
+ if \$running_under_some_shell;
+ !GROK!THIS!
+
++print <<'!NO!SUBS!';
++
++BEGIN { pop @INC if $INC[-1] eq '.' }
++
++!NO!SUBS!
++
+ while (<IN>) {
+ print OUT unless /^package diagnostics/;
+ }
+--
+2.8.1
+
diff --git a/meta/recipes-devtools/perl/perl_5.22.0.bb b/meta/recipes-devtools/perl/perl_5.22.0.bb
index ff82b80e66..814c20c5cd 100644
--- a/meta/recipes-devtools/perl/perl_5.22.0.bb
+++ b/meta/recipes-devtools/perl/perl_5.22.0.bb
@@ -37,6 +37,7 @@ SRC_URI += " \
file://perl-fix-CVE-2016-2381.patch \
file://perl-fix-CVE-2016-6185.patch \
file://perl-fix-CVE-2015-8607.patch \
+ file://perl-fix-CVE-2016-1238.patch \
"
SRC_URI += " \