Close the eval "require $module" security hole in Digest->new($algorithm)
authorMichael G. Schwern <schwern@pobox.com>
Mon, 3 Oct 2011 18:05:29 +0000 (19:05 +0100)
committerRicardo Signes <rjbs@cpan.org>
Thu, 9 Aug 2012 20:04:11 +0000 (16:04 -0400)
Also the filter was incomplete.

Bug-Debian: http://bugs.debian.org/644108

MANIFEST
cpan/Digest/Digest.pm
cpan/Digest/t/security.t [new file with mode: 0644]

index fc11838..c834b79 100644 (file)
--- a/MANIFEST
+++ b/MANIFEST
@@ -759,6 +759,7 @@ cpan/Digest-SHA/typemap                     Typemap for Digest::SHA
 cpan/Digest/t/base.t           See if Digest extensions work
 cpan/Digest/t/digest.t         See if Digest extensions work
 cpan/Digest/t/file.t           See if Digest extensions work
+cpan/Digest/t/security.t       See if Digest extensions work
 cpan/Encode/AUTHORS            List of authors
 cpan/Encode/bin/enc2xs         Encode module generator
 cpan/Encode/bin/piconv         iconv by perl
index 384dfc8..d714434 100644 (file)
@@ -24,7 +24,7 @@ sub new
     shift;  # class ignored
     my $algorithm = shift;
     my $impl = $MMAP{$algorithm} || do {
-       $algorithm =~ s/\W+//;
+       $algorithm =~ s/\W+//g;
        "Digest::$algorithm";
     };
     $impl = [$impl] unless ref($impl);
@@ -35,7 +35,9 @@ sub new
        ($class, @args) = @$class if ref($class);
        no strict 'refs';
        unless (exists ${"$class\::"}{"VERSION"}) {
-           eval "require $class";
+           my $pm_file = $class . ".pm";
+           $pm_file =~ s{::}{/}g;
+           eval { require $pm_file };
            if ($@) {
                $err ||= $@;
                next;
diff --git a/cpan/Digest/t/security.t b/cpan/Digest/t/security.t
new file mode 100644 (file)
index 0000000..5cba122
--- /dev/null
@@ -0,0 +1,14 @@
+#!/usr/bin/env perl
+
+# Digest->new() had an exploitable eval
+
+use strict;
+use warnings;
+
+use Test::More tests => 1;
+
+use Digest;
+
+$LOL::PWNED = 0;
+eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
+is $LOL::PWNED, 0;