Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1411436

Summary: cpan client is vulnerable to CVE-2016-1238
Product: Red Hat Software Collections Reporter: Petr Pisar <ppisar>
Component: perl-CPANAssignee: perl-maint-list
Status: CLOSED EOL QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rh-perl524Keywords: Patch
Target Milestone: ---   
Target Release: 3.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-02 12:18:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1355695    
Attachments:
Description Flags
Cumulative patch none

Description Petr Pisar 2017-01-09 17:35:03 UTC 
rh-perl524-perl-CPAN-2.11-368.el6.noarch loads optional modules from current working directory:

$ cd /tmp
$ mkdir Log
cat >Log/Log4perl.pm
warn 'HIT';
1;
^D
$ cpan
HIT at /tmp/Log/Log4perl.pm line 1.
Undefined subroutine &Log::Log4perl::init called at /opt/rh/rh-perl524/root/usr/share/perl5/vendor_perl/App/Cpan.pm line 546.

This bug is know as CVE-2016-1238 and a fix exists in perl-5.24.1 release candidate. Other rh-perl524 packages already contain the fix. Please note that additional patch from CPAN RT#116507 is required to handle cpan -j option correctly in case of a relative path.
Comment 1 Petr Pisar 2017-01-09 17:59:44 UTC 
Created attachment 1238847 [details]
Cumulative patch
Comment 7 Petr Pisar 2019-11-08 06:05:39 UTC 
rh-perl526 is not affected.
Comment 8 Joe Orton 2019-12-02 12:18:36 UTC 
In accordance with the Red Hat Software Collections Product Life Cycle, the support period for this collection has ended.

New bug fix, enhancement, and security errata updates, as well as technical support services will no longer be made available for this collection.

Customers are encouraged to upgrade to a later release.

Please contact Red Hat Support if you have further questions, or refer to the support lifecycle page for more information. https://access.redhat.com/support/policy/updates/rhscl/