[lintian] 02/02: Remove "." from @INC
This is an automated email from the git hooks/post-receive script.
jwilk pushed a commit to branch master
in repository lintian.
commit c92ba9515d581077e37dc4421272ef32516a403f
Author: Jakub Wilk <jwilk@debian.org>
Date: Thu Jun 30 22:29:00 2016 +0200
Remove "." from @INC
It's a long-standing Perl bug (#588017) that "." is appended to @INC.
If a program tries to import module that is not installed system-wide,
Perl will attempt to import it from the current working directory. If
the directory is untrusted, this could lead to arbitrary code execution.
Lintian is affected, because it imports the Encode module, which tries
to import Encode::ConfigLocal, which doesn't normally exist.
To mitigate this bug, remove "." from @INC early from all Perl scripts
that can be (indirectly) run by end users.
---
collection/ar-info | 1 +
collection/bin-pkg-control | 1 +
collection/changelog-file | 1 +
collection/copyright-file | 1 +
collection/debian-readme | 1 +
collection/diffstat | 1 +
collection/file-info | 1 +
collection/hardening-info | 1 +
collection/java-info | 1 +
collection/md5sums | 1 +
collection/objdump-info | 1 +
collection/override-file | 1 +
collection/scripts | 1 +
collection/src-orig-index | 1 +
collection/strings | 1 +
collection/unpacked | 1 +
debian/changelog | 9 +++++++++
frontend/dplint | 1 +
helpers/coll/file-info-helper | 1 +
helpers/coll/hardening-info-helper | 1 +
helpers/coll/objdump-info-helper | 1 +
helpers/coll/strings-helper | 1 +
22 files changed, 30 insertions(+)
diff --git a/collection/ar-info b/collection/ar-info
index 7ee33e7..4bc679f 100755
--- a/collection/ar-info
+++ b/collection/ar-info
@@ -24,6 +24,7 @@ package Lintian::coll::ar_info;
use strict;
use warnings;
use autodie;
+no lib '.';
use lib "$ENV{LINTIAN_ROOT}/lib";
use FileHandle;
diff --git a/collection/bin-pkg-control b/collection/bin-pkg-control
index f27419f..ac9ce28 100755
--- a/collection/bin-pkg-control
+++ b/collection/bin-pkg-control
@@ -24,6 +24,7 @@ package Lintian::coll::bin_pkg_control;
use strict;
use warnings;
use autodie;
+no lib '.';
use constant ERROR_FILES => qw(control-index-errors control-errors);
diff --git a/collection/changelog-file b/collection/changelog-file
index 533b1f8..6cad9fe 100755
--- a/collection/changelog-file
+++ b/collection/changelog-file
@@ -24,6 +24,7 @@ package Lintian::coll::changelog_file;
use strict;
use warnings;
use autodie;
+no lib '.';
use File::Copy qw(copy);
diff --git a/collection/copyright-file b/collection/copyright-file
index a8df79d..1142a97 100755
--- a/collection/copyright-file
+++ b/collection/copyright-file
@@ -24,6 +24,7 @@ package Lintian::coll::copyright_file;
use strict;
use warnings;
use autodie;
+no lib '.';
use lib "$ENV{'LINTIAN_ROOT'}/lib";
use Lintian::Util qw(fail gunzip_file is_ancestor_of touch_file);
diff --git a/collection/debian-readme b/collection/debian-readme
index f8021fd..dba505a 100755
--- a/collection/debian-readme
+++ b/collection/debian-readme
@@ -24,6 +24,7 @@ package Lintian::coll::debian_readme;
use strict;
use warnings;
use autodie;
+no lib '.';
use lib "$ENV{'LINTIAN_ROOT'}/lib";
use Lintian::Util qw(fail gunzip_file touch_file is_ancestor_of);
diff --git a/collection/diffstat b/collection/diffstat
index 048f4a8..0e298bb 100755
--- a/collection/diffstat
+++ b/collection/diffstat
@@ -30,6 +30,7 @@ package Lintian::coll::diffstat;
use strict;
use warnings;
use autodie;
+no lib '.';
use lib "$ENV{'LINTIAN_ROOT'}/lib";
use Lintian::Util qw(fail get_dsc_info gunzip_file);
diff --git a/collection/file-info b/collection/file-info
index 8a296b9..2b2ceb3 100755
--- a/collection/file-info
+++ b/collection/file-info
@@ -24,6 +24,7 @@ package Lintian::coll::file_info;
use strict;
use warnings;
use autodie;
+no lib '.';
use FileHandle;
use lib "$ENV{'LINTIAN_ROOT'}/lib";
diff --git a/collection/hardening-info b/collection/hardening-info
index b0e45c2..f1c7c98 100755
--- a/collection/hardening-info
+++ b/collection/hardening-info
@@ -31,6 +31,7 @@ package Lintian::coll::hardening_info;
use strict;
use warnings;
use autodie;
+no lib '.';
use FileHandle;
diff --git a/collection/java-info b/collection/java-info
index 4fa799f..cc74944 100755
--- a/collection/java-info
+++ b/collection/java-info
@@ -24,6 +24,7 @@ package Lintian::coll::java_info;
use strict;
use warnings;
use autodie;
+no lib '.';
use Archive::Zip qw( :ERROR_CODES :CONSTANTS );
use FileHandle;
diff --git a/collection/md5sums b/collection/md5sums
index c2ce0c0..c8516ec 100755
--- a/collection/md5sums
+++ b/collection/md5sums
@@ -24,6 +24,7 @@ package Lintian::coll::md5sums;
use strict;
use warnings;
use autodie;
+no lib '.';
use FileHandle;
use lib "$ENV{'LINTIAN_ROOT'}/lib";
diff --git a/collection/objdump-info b/collection/objdump-info
index 39de4aa..28d88b2 100755
--- a/collection/objdump-info
+++ b/collection/objdump-info
@@ -28,6 +28,7 @@ package Lintian::coll::objdump_info;
use strict;
use warnings;
use autodie;
+no lib '.';
use FileHandle;
diff --git a/collection/override-file b/collection/override-file
index 89e393b..f31f74a 100755
--- a/collection/override-file
+++ b/collection/override-file
@@ -25,6 +25,7 @@ package Lintian::coll::override_file;
use strict;
use warnings;
use autodie;
+no lib '.';
use lib "$ENV{'LINTIAN_ROOT'}/lib";
use Lintian::Util qw(fail gunzip_file is_ancestor_of);
diff --git a/collection/scripts b/collection/scripts
index 34ddcda..21041e8 100755
--- a/collection/scripts
+++ b/collection/scripts
@@ -24,6 +24,7 @@ package Lintian::coll::scripts;
use strict;
use warnings;
use autodie;
+no lib '.';
use lib "$ENV{'LINTIAN_ROOT'}/lib/";
use Lintian::Collect;
diff --git a/collection/src-orig-index b/collection/src-orig-index
index 2c99ff3..1127235 100755
--- a/collection/src-orig-index
+++ b/collection/src-orig-index
@@ -24,6 +24,7 @@ package Lintian::coll::src_orig_index;
use strict;
use warnings;
use autodie;
+no lib '.';
# import perl libraries
use lib "$ENV{'LINTIAN_ROOT'}/lib";
diff --git a/collection/strings b/collection/strings
index ca2bc7a..37a7dfa 100755
--- a/collection/strings
+++ b/collection/strings
@@ -24,6 +24,7 @@ package Lintian::coll::strings;
use strict;
use warnings;
use autodie;
+no lib '.';
use FileHandle;
diff --git a/collection/unpacked b/collection/unpacked
index 465d71a..9e391d7 100755
--- a/collection/unpacked
+++ b/collection/unpacked
@@ -25,6 +25,7 @@ package Lintian::coll::unpacked;
use strict;
use warnings;
use autodie;
+no lib '.';
# Read up to 40kB at the time. This happens to be 4096 "tar records"
# (with a block-size of 512 and a block factor of 20, which appears to
diff --git a/debian/changelog b/debian/changelog
index 0f15796..f5d1446 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,9 @@ lintian (2.5.46) UNRELEASED; urgency=medium
* checks/manpages.desc:
+ [JW] Fix typos.
+ * collection/*:
+ + [JW] Remove "." from Perl's module search path. (Mitigates: #588017)
+
* commands/reporting-html-reports.pm:
+ [NT] Fix typo in named parameter that made the raw lintain.log
unavailable on lintian.debian.org. Thanks to Guillem Jover
@@ -25,6 +28,12 @@ lintian (2.5.46) UNRELEASED; urgency=medium
* data/spelling/corrections:
+ [JW] Add more corrections.
+ * frontend/dplint:
+ + [JW] Remove "." from Perl's search path. (Mitigates: #588017)
+
+ * helpers/coll/*:
+ + [JW] Remove "." from Perl's search path. (Mitigates: #588017)
+
* lib/Lintian/Output.pm:
+ [JW] Fix typo.
diff --git a/frontend/dplint b/frontend/dplint
index e6dd632..e796c37 100755
--- a/frontend/dplint
+++ b/frontend/dplint
@@ -26,6 +26,7 @@
# in case we need to run a ".pm" tool.
use strict;
use warnings;
+no lib '.';
my $TOOL_RUNNER = sub {
my ($tool_pm_path) = @_;
diff --git a/helpers/coll/file-info-helper b/helpers/coll/file-info-helper
index fd2e388..dcac34d 100755
--- a/helpers/coll/file-info-helper
+++ b/helpers/coll/file-info-helper
@@ -3,6 +3,7 @@
use strict;
use warnings;
use autodie;
+no lib '.';
while (my $line = <>) {
my ($file, $type) = $line =~ (m/^(.*?)\x00(.*)$/o);
diff --git a/helpers/coll/hardening-info-helper b/helpers/coll/hardening-info-helper
index f0efda0..32c248c 100755
--- a/helpers/coll/hardening-info-helper
+++ b/helpers/coll/hardening-info-helper
@@ -22,6 +22,7 @@
use strict;
use warnings;
use autodie;
+no lib '.';
use FileHandle;
diff --git a/helpers/coll/objdump-info-helper b/helpers/coll/objdump-info-helper
index 1426f84..9d5e1dc 100755
--- a/helpers/coll/objdump-info-helper
+++ b/helpers/coll/objdump-info-helper
@@ -29,6 +29,7 @@
use strict;
use warnings;
use autodie;
+no lib '.';
my (@sections, @symbol_versions);
my @dyn_symbols;
diff --git a/helpers/coll/strings-helper b/helpers/coll/strings-helper
index 912facd..791e8ae 100755
--- a/helpers/coll/strings-helper
+++ b/helpers/coll/strings-helper
@@ -22,6 +22,7 @@
use strict;
use warnings;
use autodie;
+no lib '.';
use File::Basename qw(dirname);
use IO::Handle;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/lintian/lintian.git
Reply to: