diff options
| author | Guillem Jover <guillem@debian.org> | 2016-09-14 23:26:16 +0200 |
|---|---|---|
| committer | Guillem Jover <guillem@debian.org> | 2016-10-30 06:29:51 +0100 |
| commit | 583e7b0ab992c4770414e1f8f903f207035d0523 (patch) | |
| tree | 23d407b39c340e4ac227f95fa52b7012bfd5fa9c /scripts/Dpkg/Gettext.pm | |
| parent | b4e88220c2ba83bb96fc8f7430437b7d3e1bf1bf (diff) | |
| download | dpkg-583e7b0ab992c4770414e1f8f903f207035d0523.tar.gz | |
perl: Remove default «.» from @INC before loading modules
When loading eval'ed modules we should remove «.» from @INC, or we
might end up loading code under the caller's control.
Fixes: CVE-2016-1238
Diffstat (limited to 'scripts/Dpkg/Gettext.pm')
| -rw-r--r-- | scripts/Dpkg/Gettext.pm | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/scripts/Dpkg/Gettext.pm b/scripts/Dpkg/Gettext.pm index 7be03d495..aa5aeb8da 100644 --- a/scripts/Dpkg/Gettext.pm +++ b/scripts/Dpkg/Gettext.pm @@ -98,7 +98,10 @@ or $msgid_plural otherwise. use constant GETTEXT_CONTEXT_GLUE => "\004"; BEGIN { - eval 'use Locale::gettext'; + eval q{ + pop @INC if $INC[-1] eq '.'; + use Locale::gettext; + }; if ($@) { eval q{ sub g_ { |