From fe10e5ea3e189c442eaeaa049a0664316b64d79a Mon Sep 17 00:00:00 2001
From: Jitka Plesnikova <jplesnik@redhat.com>
Date: Aug 02 2016 13:29:13 +0000
Subject: Avoid loading optional modules from default . (CVE-2016-1238)


---

diff --git a/File-Fetch-0.48-CVE-2016-1238-avoid-loading-optional-modules-from.patch b/File-Fetch-0.48-CVE-2016-1238-avoid-loading-optional-modules-from.patch
new file mode 100644
index 0000000..6403751
--- /dev/null
+++ b/File-Fetch-0.48-CVE-2016-1238-avoid-loading-optional-modules-from.patch
@@ -0,0 +1,48 @@
+diff -up File-Fetch/lib/File/Fetch.pm.cve perl-5.24.0/cpan/File-Fetch/lib/File/Fetch.pm
+--- File-Fetch/lib/File/Fetch.pm.cve	2016-02-05 16:26:05.000000000 +0100
++++ File-Fetch/lib/File/Fetch.pm	2016-08-02 13:39:39.819316039 +0200
+@@ -567,6 +567,8 @@ sub _lwp_fetch {
+ 
+     };
+ 
++    local @INC = @INC;
++    pop @INC if $INC[-1] eq '.';
+     unless( can_load( modules => $use_list ) ) {
+         $METHOD_FAIL->{'lwp'} = 1;
+         return;
+@@ -619,6 +621,8 @@ sub _httptiny_fetch {
+ 
+     };
+ 
++    local @INC = @INC;
++    pop @INC if $INC[-1] eq '.';
+     unless( can_load(modules => $use_list) ) {
+         $METHOD_FAIL->{'httptiny'} = 1;
+         return;
+@@ -658,6 +662,8 @@ sub _httplite_fetch {
+ 
+     };
+ 
++    local @INC = @INC;
++    pop @INC if $INC[-1] eq '.';
+     unless( can_load(modules => $use_list) ) {
+         $METHOD_FAIL->{'httplite'} = 1;
+         return;
+@@ -733,6 +739,8 @@ sub _iosock_fetch {
+         'IO::Select'       => '0.0',
+     };
+ 
++    local @INC = @INC;
++    pop @INC if $INC[-1] eq '.';
+     unless( can_load(modules => $use_list) ) {
+         $METHOD_FAIL->{'iosock'} = 1;
+         return;
+@@ -814,6 +822,8 @@ sub _netftp_fetch {
+     check( $tmpl, \%hash ) or return;
+ 
+     ### required modules ###
++    local @INC = @INC;
++    pop @INC if $INC[-1] eq '.';
+     my $use_list = { 'Net::FTP' => 0 };
+ 
+     unless( can_load( modules => $use_list ) ) {
diff --git a/perl-File-Fetch.spec b/perl-File-Fetch.spec
index fb16269..f986b57 100644
--- a/perl-File-Fetch.spec
+++ b/perl-File-Fetch.spec
@@ -1,11 +1,13 @@
 Name:           perl-File-Fetch
 Version:        0.48
-Release:        365%{?dist}
+Release:        366%{?dist}
 Summary:        Generic file fetching mechanism
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/File-Fetch/
 Source0:        http://www.cpan.org/authors/id/B/BI/BINGOS/File-Fetch-%{version}.tar.gz
+# Avoid loading optional modules from default . (CVE-2016-1238)
+Patch0:         File-Fetch-0.48-CVE-2016-1238-avoid-loading-optional-modules-from.patch
 BuildArch:      noarch
 BuildRequires:  perl
 BuildRequires:  perl-generators
@@ -50,6 +52,7 @@ File::Fetch allows you to fetch any file pointed to by a "ftp", "http",
 
 %prep
 %setup -q -n File-Fetch-%{version}
+%patch0 -p1
 
 %build
 perl Makefile.PL INSTALLDIRS=vendor
@@ -69,6 +72,9 @@ make test
 %{_mandir}/man3/*
 
 %changelog
+* Tue Aug 02 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.48-366
+- Avoid loading optional modules from default . (CVE-2016-1238)
+
 * Sat May 14 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.48-365
 - Increase release to favour standalone package