Bug 1411436 - cpan client is vulnerable to CVE-2016-1238
Summary: cpan client is vulnerable to CVE-2016-1238
Alias: None
Product: Red Hat Software Collections
Classification: Red Hat
Component: perl-CPAN
Version: rh-perl524
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.4
Assignee: perl-maint-list
QA Contact: BaseOS QE - Apps
Depends On:
Blocks: CVE-2016-1238
TreeView+ depends on / blocked
Reported: 2017-01-09 17:35 UTC by Petr Pisar
Modified: 2019-12-02 12:19 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-12-02 12:18:36 UTC
Target Upstream Version:

Attachments (Terms of Use)
Cumulative patch (9.83 KB, patch)
2017-01-09 17:59 UTC, Petr Pisar
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
CPAN 116507 0 None None None 2017-01-31 09:13:20 UTC

Description Petr Pisar 2017-01-09 17:35:03 UTC
rh-perl524-perl-CPAN-2.11-368.el6.noarch loads optional modules from current working directory:

$ cd /tmp
$ mkdir Log
cat >Log/Log4perl.pm
warn 'HIT';
$ cpan
HIT at /tmp/Log/Log4perl.pm line 1.
Undefined subroutine &Log::Log4perl::init called at /opt/rh/rh-perl524/root/usr/share/perl5/vendor_perl/App/Cpan.pm line 546.

This bug is know as CVE-2016-1238 and a fix exists in perl-5.24.1 release candidate. Other rh-perl524 packages already contain the fix. Please note that additional patch from CPAN RT#116507 is required to handle cpan -j option correctly in case of a relative path.

Comment 1 Petr Pisar 2017-01-09 17:59:44 UTC
Created attachment 1238847 [details]
Cumulative patch

Comment 7 Petr Pisar 2019-11-08 06:05:39 UTC
rh-perl526 is not affected.

Comment 8 Joe Orton 2019-12-02 12:18:36 UTC
In accordance with the Red Hat Software Collections Product Life Cycle, the support period for this collection has ended.

New bug fix, enhancement, and security errata updates, as well as technical support services will no longer be made available for this collection.

Customers are encouraged to upgrade to a later release.

Please contact Red Hat Support if you have further questions, or refer to the support lifecycle page for more information. https://access.redhat.com/support/policy/updates/rhscl/

Note You need to log in before you can comment on or make changes to this bug.