[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [xsawyerx@gmail.com: CVE-2016-1238: Important unsafe module load path flaw]

On Mon, Jul 25, 2016 at 09:46:46PM +0200, gregor herrmann wrote:
> On Mon, 25 Jul 2016 15:15:30 +0100, Dominic Hargreaves wrote:
> 
> > Please could team members look at the patches I've applied in the
> > jessie-security branches of
> > 
> > - libmodule-build-perl
> > - libmime-charset-perl
> > - libmime-encwords-perl
> > - libnet-dns-perl
> > 
> > and apply a similar fix to sid and forwarding upstream? 
> 
> The former three are done by Salavatore (libmime*) and me (M::B).
> For libnet-dns-perl I tried to adjust the patch from jessie-security
> to sid but I'm not really sure if this is correct and/or sufficent
> (lot's of other 'require's, the same constants also defined in 2 test
> files ...). 
> 
> Maybe you could take a look at this patch/package?

Hi gregor,

Apologies for the severe delay in responding to this. I also noticed
that this package was a bit gnarly when it came to fixing this issue
consistently.

Given that '.' has now been removed from @INC by default in sid, I am
inclined not to worry too much about this one now.

Cheers,
Dominic.
Reply to: