From: Tony Cook <tony@develop-help.com>
Date: Thu, 15 Sep 2016 00:28:09 +0000 (+1000)
Subject: CVE-2016-1238 mitigation
X-Git-Tag: v1.006~6
X-Git-Url: http://git.imager.perl.org/imager.git/commitdiff_plain/b1736e02fc399356d27fd45919adde71c192d1c4

CVE-2016-1238 mitigation

ensure the default . is removed from @INC when attempting to load
optional modules:

  - file format modules loaded by read(), write() etc and the
    %formats tie code
  - Affix::Infix2Postfix loaded by transform()
  - Parse::RecDescent loaded by Imager::Expr
---

diff --git a/Imager.pm b/Imager.pm
index 9cb1ab12..706eb6d7 100644
--- a/Imager.pm
+++ b/Imager.pm
@@ -1668,6 +1668,8 @@ sub _load_file {
   else {
     local $SIG{__DIE__};
     my $loaded = eval {
+      local @INC = @INC;
+      pop @INC if $INC[-1] eq '.';
       ++$attempted_to_load{$file};
       require $file;
       return 1;
@@ -2398,8 +2400,12 @@ sub transform {
 
   if ( $opts{'xexpr'} and $opts{'yexpr'} ) {
     if (!$I2P) {
-      eval ("use Affix::Infix2Postfix;");
-      print $@;
+      {
+	local @INC = @INC;
+	pop @INC if $INC[-1] eq '.';
+	eval ("use Affix::Infix2Postfix;");
+      }
+
       if ( $@ ) {
 	$self->{ERRSTR}='transform: expr given and Affix::Infix2Postfix is not avaliable.'; 
 	return undef;
@@ -4334,6 +4340,8 @@ sub preload {
   # - something for Module::ScanDeps to analyze
   # https://rt.cpan.org/Ticket/Display.html?id=6566
   local $@;
+  local @INC = @INC;
+  pop @INC if $INC[-1] eq '.';
   eval { require Imager::File::GIF };
   eval { require Imager::File::JPEG };
   eval { require Imager::File::PNG };
diff --git a/lib/Imager/Expr.pm b/lib/Imager/Expr.pm
index 3e1a41e9..0668d198 100644
--- a/lib/Imager/Expr.pm
+++ b/lib/Imager/Expr.pm
@@ -4,7 +4,7 @@ use Imager::Regops;
 use strict;
 use vars qw($VERSION);
 
-$VERSION = "1.006";
+$VERSION = "1.007";
 
 my %expr_types;
 
@@ -323,9 +323,12 @@ use vars qw(@ISA);
 @ISA = qw(Imager::Expr);
 use Imager::Regops qw(%Attr $MaxOperands);
 
-
-eval "use Parse::RecDescent;";
-__PACKAGE__->register_type('expr') if !$@;
+{
+  local @INC = @INC;
+  pop @INC if $INC[-1] eq '.';
+  eval "use Parse::RecDescent;";
+  __PACKAGE__->register_type('expr') if !$@;
+}
 
 # I really prefer bottom-up parsers
 my $grammar = <<'GRAMMAR';