abs/core/perl/digest_eval_hole.diff


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

From 4b6a7324284e7435a361c58f7ddb32fc0c635bd0 Mon Sep 17 00:00:00 2001
From: "Michael G. Schwern" <schwern@pobox.com>
Date: Mon, 3 Oct 2011 19:05:29 +0100
Subject: Close the eval "require $module" security hole in
 Digest->new($algorithm)

Also the filter was incomplete.

Bug-Debian: http://bugs.debian.org/644108

Patch-Name: fixes/digest_eval_hole.diff
---
 cpan/Digest/Digest.pm    |    6 ++++--
 cpan/Digest/t/security.t |   14 ++++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 cpan/Digest/t/security.t

diff --git a/cpan/Digest/Digest.pm b/cpan/Digest/Digest.pm
index 384dfc8..d714434 100644
--- a/cpan/Digest/Digest.pm
+++ b/cpan/Digest/Digest.pm
@@ -24,7 +24,7 @@ sub new
     shift;  # class ignored
     my $algorithm = shift;
     my $impl = $MMAP{$algorithm} || do {
-	$algorithm =~ s/\W+//;
+	$algorithm =~ s/\W+//g;
 	"Digest::$algorithm";
     };
     $impl = [$impl] unless ref($impl);
@@ -35,7 +35,9 @@ sub new
 	($class, @args) = @$class if ref($class);
 	no strict 'refs';
 	unless (exists ${"$class\::"}{"VERSION"}) {
-	    eval "require $class";
+	    my $pm_file = $class . ".pm";
+	    $pm_file =~ s{::}{/}g;
+	    eval { require $pm_file };
 	    if ($@) {
 		$err ||= $@;
 		next;
diff --git a/cpan/Digest/t/security.t b/cpan/Digest/t/security.t
new file mode 100644
index 0000000..5cba122
--- /dev/null
+++ b/cpan/Digest/t/security.t
@@ -0,0 +1,14 @@
+#!/usr/bin/env perl
+
+# Digest->new() had an exploitable eval
+
+use strict;
+use warnings;
+
+use Test::More tests => 1;
+
+use Digest;
+
+$LOL::PWNED = 0;
+eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
+is $LOL::PWNED, 0;