From 4b6a7324284e7435a361c58f7ddb32fc0c635bd0 Mon Sep 17 00:00:00 2001 From: "Michael G. Schwern" Date: Mon, 3 Oct 2011 19:05:29 +0100 Subject: Close the eval "require $module" security hole in Digest->new($algorithm) Also the filter was incomplete. Bug-Debian: http://bugs.debian.org/644108 Patch-Name: fixes/digest_eval_hole.diff --- cpan/Digest/Digest.pm | 6 ++++-- cpan/Digest/t/security.t | 14 ++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 cpan/Digest/t/security.t diff --git a/cpan/Digest/Digest.pm b/cpan/Digest/Digest.pm index 384dfc8..d714434 100644 --- a/cpan/Digest/Digest.pm +++ b/cpan/Digest/Digest.pm @@ -24,7 +24,7 @@ sub new shift; # class ignored my $algorithm = shift; my $impl = $MMAP{$algorithm} || do { - $algorithm =~ s/\W+//; + $algorithm =~ s/\W+//g; "Digest::$algorithm"; }; $impl = [$impl] unless ref($impl); @@ -35,7 +35,9 @@ sub new ($class, @args) = @$class if ref($class); no strict 'refs'; unless (exists ${"$class\::"}{"VERSION"}) { - eval "require $class"; + my $pm_file = $class . ".pm"; + $pm_file =~ s{::}{/}g; + eval { require $pm_file }; if ($@) { $err ||= $@; next; diff --git a/cpan/Digest/t/security.t b/cpan/Digest/t/security.t new file mode 100644 index 0000000..5cba122 --- /dev/null +++ b/cpan/Digest/t/security.t @@ -0,0 +1,14 @@ +#!/usr/bin/env perl + +# Digest->new() had an exploitable eval + +use strict; +use warnings; + +use Test::More tests => 1; + +use Digest; + +$LOL::PWNED = 0; +eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) }; +is $LOL::PWNED, 0;