Hi release team, the security team deferred patching CVE-2009-1391 to the stable update. I'd also like to get a couple of other bugfixes in, debdiff attached. Please let me know if this is OK by you.
Sorry about the unwrapped debian/control lines; it really is just s/libcpan-plus-perl/libcpanplus-perl/ Changes: perl (5.10.0-19lenny2) stable; urgency=low . * Fix a typo in the replaces/conflicts/provides: libcpan-plus-perl should have been libcpanplus-perl. (Closes: #516289) * Fix a memory leak with the map operator. (Closes: #528332) * Configure CPANPLUS to use the site directories by default. (Closes: #533707) * Save local versions of CPANPLUS::Config::System into /etc/perl. (See #533707) . perl (5.10.0-19lenny1) stable-security; urgency=high . * [SECURITY] CVE-2009-1391: Fix a buffer overflow in Compress::Raw::Zlib. (Closes: #532736) -- Niko Tyni nt...@debian.org
diff -u perl-5.10.0/pp_ctl.c perl-5.10.0/pp_ctl.c --- perl-5.10.0/pp_ctl.c +++ perl-5.10.0/pp_ctl.c @@ -946,7 +946,7 @@ if (PL_op->op_private & OPpGREP_LEX) PAD_SVl(PL_op->op_targ) = src; else - DEFSV = src; + DEFSV_set(src); PUTBACK; if (PL_op->op_type == OP_MAPSTART) @@ -1057,7 +1057,7 @@ if (PL_op->op_private & OPpGREP_LEX) PAD_SVl(PL_op->op_targ) = src; else - DEFSV = src; + DEFSV_set(src); RETURNOP(cLOGOP->op_other); } @@ -4663,7 +4663,7 @@ SAVETMPS; EXTEND(SP, 2); - DEFSV = upstream; + DEFSV_set(upstream); PUSHMARK(SP); PUSHs(sv_2mortal(newSViv(0))); if (filter_state) { diff -u perl-5.10.0/pp_hot.c perl-5.10.0/pp_hot.c --- perl-5.10.0/pp_hot.c +++ perl-5.10.0/pp_hot.c @@ -2398,7 +2398,7 @@ if (PL_op->op_private & OPpGREP_LEX) PAD_SVl(PL_op->op_targ) = src; else - DEFSV = src; + DEFSV_set(src); RETURNOP(cLOGOP->op_other); } diff -u perl-5.10.0/patches-applied perl-5.10.0/patches-applied --- perl-5.10.0/patches-applied +++ perl-5.10.0/patches-applied @@ -38,6 +38,8 @@ debian/patches/37_fix_coredump_indicator debian/patches/38_fix_weaken_memleak debian/patches/39_fix_archive_tar_symlink_unpack +debian/patches/40_compress_raw_zlib_cve_2009_1391 +debian/patches/41_map_memleak.diff debian/patches/50_debian_use_gdbm debian/patches/51_debian_ld_run_path debian/patches/52_debian_extutils_hacks @@ -64,0 +67,2 @@ +debian/patches/74_debian_cpanplus_config_path +debian/patches/75_debian_cpanplus_definstalldirs diff -u perl-5.10.0/perl.h perl-5.10.0/perl.h --- perl-5.10.0/perl.h +++ perl-5.10.0/perl.h @@ -1292,8 +1292,12 @@ #endif #define ERRSV GvSV(PL_errgv) -/* FIXME? Change the assignments to PL_defgv to instantiate GvSV? */ -#define DEFSV GvSVn(PL_defgv) +#ifdef PERL_CORE +# define DEFSV (0 + GvSVn(PL_defgv)) +#else +# define DEFSV GvSVn(PL_defgv) +#endif +#define DEFSV_set(sv) (GvSV(PL_defgv) = (sv)) #define SAVE_DEFSV SAVESPTR(GvSV(PL_defgv)) #define ERRHV GvHV(PL_errgv) /* XXX unused, here for compatibility */ diff -u perl-5.10.0/debian/control perl-5.10.0/debian/control --- perl-5.10.0/debian/control +++ perl-5.10.0/debian/control @@ -69,9 +69,9 @@ Priority: standard Architecture: all Depends: perl (>= ${Upstream-Version}-1) -Conflicts: libpod-parser-perl (<< 1.32-1), libansicolor-perl (<< 1.10-1), libfile-temp-perl (<< 0.18), libnet-perl (<= 1:1.19-3), libattribute-handlers-perl (<< 0.78.02-1), libcgi-pm-perl (<< 3.15-1), libi18n-langtags-perl (<< 0.35-1), liblocale-maketext-perl (<< 1.08-1), libmath-bigint-perl (<< 1.77-1), libnet-ping-perl (<< 2.31-1), libtest-harness-perl (<< 2.56-1), libtest-simple-perl (<< 0.62-1), liblocale-codes-perl (<< 2.06.1-1), libmodule-corelist-perl (<< 2.13-1), libio-zlib-perl (<< 1.07-1), libarchive-tar-perl (<= 1.38-2), libextutils-cbuilder-perl (<< 0.21-1), libmodule-build-perl (<< 0.2808.1-1), libmodule-load-perl (<< 0.12-1), liblocale-maketext-simple-perl (<< 0.18-1), libparams-check-perl (<< 0.26-1), libmodule-pluggable-perl (<< 3.6-1), libmodule-load-conditional-perl (<< 0.22-1), libcpan-plus-perl (<< 0.83.09-1), libversion-perl (<< 1:0.7400-2), libpod-simple-perl (<< 3.05-2), libextutils-parsexs-perl (<= 2.18), podlators-perl (<< 2.2.0) -Replaces: libpod-parser-perl, libansicolor-perl, libfile-temp-perl, libnet-perl, libattribute-handlers-perl, libcgi-pm-perl, libi18n-langtags-perl, liblocale-maketext-perl, libmath-bigint-perl, libnet-ping-perl, libtest-harness-perl, libtest-simple-perl, liblocale-codes-perl, libmodule-corelist-perl, libio-zlib-perl, libarchive-tar-perl, libextutils-cbuilder-perl, libmodule-build-perl, libmodule-load-perl, liblocale-maketext-simple-perl, libparams-check-perl, libmodule-pluggable-perl, libmodule-load-conditional-perl, libcpan-plus-perl, libversion-perl, libpod-simple-perl, libextutils-parsexs-perl, podlators-perl -Provides: libpod-parser-perl, libansicolor-perl, libfile-temp-perl, libnet-perl, libattribute-handlers-perl, libcgi-pm-perl, libi18n-langtags-perl, liblocale-maketext-perl, libmath-bigint-perl, libnet-ping-perl, libtest-harness-perl, libtest-simple-perl, liblocale-codes-perl, libmodule-corelist-perl, libio-zlib-perl, libarchive-tar-perl, libextutils-cbuilder-perl, libmodule-build-perl, libmodule-load-perl, liblocale-maketext-simple-perl, libparams-check-perl, libmodule-pluggable-perl, libmodule-load-conditional-perl, libcpan-plus-perl, libversion-perl, libpod-simple-perl, libextutils-parsexs-perl, podlators-perl +Conflicts: libpod-parser-perl (<< 1.32-1), libansicolor-perl (<< 1.10-1), libfile-temp-perl (<< 0.18), libnet-perl (<= 1:1.19-3), libattribute-handlers-perl (<< 0.78.02-1), libcgi-pm-perl (<< 3.15-1), libi18n-langtags-perl (<< 0.35-1), liblocale-maketext-perl (<< 1.08-1), libmath-bigint-perl (<< 1.77-1), libnet-ping-perl (<< 2.31-1), libtest-harness-perl (<< 2.56-1), libtest-simple-perl (<< 0.62-1), liblocale-codes-perl (<< 2.06.1-1), libmodule-corelist-perl (<< 2.13-1), libio-zlib-perl (<< 1.07-1), libarchive-tar-perl (<= 1.38-2), libextutils-cbuilder-perl (<< 0.21-1), libmodule-build-perl (<< 0.2808.1-1), libmodule-load-perl (<< 0.12-1), liblocale-maketext-simple-perl (<< 0.18-1), libparams-check-perl (<< 0.26-1), libmodule-pluggable-perl (<< 3.6-1), libmodule-load-conditional-perl (<< 0.22-1), libcpanplus-perl (<< 0.83.09-1), libversion-perl (<< 1:0.7400-2), libpod-simple-perl (<< 3.05-2), libextutils-parsexs-perl (<= 2.18), podlators-perl (<< 2.2.0) +Replaces: libpod-parser-perl, libansicolor-perl, libfile-temp-perl, libnet-perl, libattribute-handlers-perl, libcgi-pm-perl, libi18n-langtags-perl, liblocale-maketext-perl, libmath-bigint-perl, libnet-ping-perl, libtest-harness-perl, libtest-simple-perl, liblocale-codes-perl, libmodule-corelist-perl, libio-zlib-perl, libarchive-tar-perl, libextutils-cbuilder-perl, libmodule-build-perl, libmodule-load-perl, liblocale-maketext-simple-perl, libparams-check-perl, libmodule-pluggable-perl, libmodule-load-conditional-perl, libcpanplus-perl, libversion-perl, libpod-simple-perl, libextutils-parsexs-perl, podlators-perl +Provides: libpod-parser-perl, libansicolor-perl, libfile-temp-perl, libnet-perl, libattribute-handlers-perl, libcgi-pm-perl, libi18n-langtags-perl, liblocale-maketext-perl, libmath-bigint-perl, libnet-ping-perl, libtest-harness-perl, libtest-simple-perl, liblocale-codes-perl, libmodule-corelist-perl, libio-zlib-perl, libarchive-tar-perl, libextutils-cbuilder-perl, libmodule-build-perl, libmodule-load-perl, liblocale-maketext-simple-perl, libparams-check-perl, libmodule-pluggable-perl, libmodule-load-conditional-perl, libcpanplus-perl, libversion-perl, libpod-simple-perl, libextutils-parsexs-perl, podlators-perl Description: Core Perl modules Architecture independent Perl modules. These modules are part of Perl and required if the `perl' package is installed. diff -u perl-5.10.0/debian/changelog perl-5.10.0/debian/changelog --- perl-5.10.0/debian/changelog +++ perl-5.10.0/debian/changelog @@ -1,3 +1,22 @@ +perl (5.10.0-19lenny2) stable; urgency=low + + * Fix a typo in the replaces/conflicts/provides: libcpan-plus-perl + should have been libcpanplus-perl. (Closes: #516289) + * Fix a memory leak with the map operator. (Closes: #528332) + * Configure CPANPLUS to use the site directories by default. + (Closes: #533707) + * Save local versions of CPANPLUS::Config::System into /etc/perl. + (See #533707) + + -- Niko Tyni <nt...@debian.org> Wed, 26 Aug 2009 22:51:22 +0300 + +perl (5.10.0-19lenny1) stable-security; urgency=high + + * [SECURITY] CVE-2009-1391: Fix a buffer overflow in Compress::Raw::Zlib. + (Closes: #532736) + + -- Niko Tyni <nt...@debian.org> Fri, 12 Jun 2009 23:22:04 +0300 + perl (5.10.0-19) unstable; urgency=low * Downgrade the perl-doc recommendation to a suggestion. only in patch2: unchanged: --- perl-5.10.0.orig/XSUB.h +++ perl-5.10.0/XSUB.h @@ -364,10 +364,10 @@ SAVETMPS ; \ SAVEINT(db->filtering) ; \ db->filtering = TRUE ; \ - SAVESPTR(DEFSV) ; \ + SAVE_DEFSV ; \ if (name[7] == 's') \ arg = newSVsv(arg); \ - DEFSV = arg ; \ + DEFSV_set(arg) ; \ SvTEMP_off(arg) ; \ PUSHMARK(SP) ; \ PUTBACK ; \ only in patch2: unchanged: --- perl-5.10.0.orig/regexec.c +++ perl-5.10.0/regexec.c @@ -2230,7 +2230,7 @@ /* Make $_ available to executed code. */ if (reginfo->sv != DEFSV) { SAVE_DEFSV; - DEFSV = reginfo->sv; + DEFSV_set(reginfo->sv); } if (!(SvTYPE(reginfo->sv) >= SVt_PVMG && SvMAGIC(reginfo->sv) only in patch2: unchanged: --- perl-5.10.0.orig/lib/CPANPLUS/Configure.pm +++ perl-5.10.0/lib/CPANPLUS/Configure.pm @@ -242,6 +242,7 @@ If this package is not C<CPANPLUS::Config::System>, it will be saved in your C<.cpanplus> directory, otherwise it will be attempted to be saved in the system wide directory. +(On Debian systems, this system wide directory is /etc/perl.) If no argument is provided, it will default to your personal config. only in patch2: unchanged: --- perl-5.10.0.orig/lib/CPANPLUS/Config/System.pm +++ perl-5.10.0/lib/CPANPLUS/Config/System.pm @@ -0,0 +1,30 @@ +### minimal pod, so you can find it with perldoc -l, etc +=pod + +=head1 NAME + +CPANPLUS::Config::System + +=head1 DESCRIPTION + +This is a CPANPLUS configuration file that sets appropriate default +settings on Debian systems. + +The only preconfigured settings are C<makemakerflags> (set to +C<INSTALLDIRS=site>) and C<buildflags> (set to C<--installdirs site>). + +These settings will not have any effect if +C</etc/perl/CPANPLUS/Config/System.pm> is present. + +=cut + + +package CPANPLUS::Config::System; + +sub setup { + my $conf = shift; + $conf->set_conf( makemakerflags => 'INSTALLDIRS=site' ); + $conf->set_conf( buildflags => '--installdirs site' ); +} + +1; only in patch2: unchanged: --- perl-5.10.0.orig/lib/CPANPLUS/Internals/Constants.pm +++ perl-5.10.0/lib/CPANPLUS/Internals/Constants.pm @@ -185,6 +185,9 @@ ) . '.pm'; }; use constant CONFIG_SYSTEM_FILE => sub { + # Debian-specific shortcut + return '/etc/perl/CPANPLUS/Config/System.pm'; + require CPANPLUS::Internals; require File::Basename; my $dir = File::Basename::dirname( only in patch2: unchanged: --- perl-5.10.0.orig/ext/Compress/Raw/Zlib/Zlib.xs +++ perl-5.10.0/ext/Compress/Raw/Zlib/Zlib.xs @@ -1295,7 +1295,7 @@ if (s->stream.avail_out == 0 ) { /* out of space in the output buffer so make it bigger */ - Sv_Grow(output, SvLEN(output) + bufinc) ; + Sv_Grow(output, SvLEN(output) + bufinc +1) ; cur_length += increment ; s->stream.next_out = (Bytef*) SvPVbyte_nolen(output) + cur_length ; increment = bufinc ; only in patch2: unchanged: --- perl-5.10.0.orig/debian/patches/40_compress_raw_zlib_cve_2009_1391 +++ perl-5.10.0/debian/patches/40_compress_raw_zlib_cve_2009_1391 @@ -0,0 +1,27 @@ +From: Niko Tyni <nt...@debian.org> +Subject: [PATCH] [CVE-2009-1391] Buffer overflow in Compress::Raw::Zlib +Closes: 532736 + +Fix cherry-picked from upstream 2.017. + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1391 + +--- + ext/Compress/Raw/Zlib/Zlib.xs | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/ext/Compress/Raw/Zlib/Zlib.xs b/ext/Compress/Raw/Zlib/Zlib.xs +index b100f4c..a80c581 100644 +--- a/ext/Compress/Raw/Zlib/Zlib.xs ++++ b/ext/Compress/Raw/Zlib/Zlib.xs +@@ -1295,7 +1295,7 @@ inflate (s, buf, output, eof=FALSE) + + if (s->stream.avail_out == 0 ) { + /* out of space in the output buffer so make it bigger */ +- Sv_Grow(output, SvLEN(output) + bufinc) ; ++ Sv_Grow(output, SvLEN(output) + bufinc +1) ; + cur_length += increment ; + s->stream.next_out = (Bytef*) SvPVbyte_nolen(output) + cur_length ; + increment = bufinc ; +-- +tg: (71b2123..) fixes/compress-raw-zlib-cve-2009-1391 (depends on: upstream) only in patch2: unchanged: --- perl-5.10.0.orig/debian/patches/75_debian_cpanplus_definstalldirs +++ perl-5.10.0/debian/patches/75_debian_cpanplus_definstalldirs @@ -0,0 +1,52 @@ +From: Niko Tyni <nt...@debian.org> +Subject: Configure CPANPLUS to use the site directories by default. +Closes: 533707 + +The core modules usually default to INSTALLDIRS=perl (ExtUtils::MakeMaker) +or installdirs=core (Module::Build), so we need to explicitly ask for +the site destination to get upgraded versions into /usr/local. + +See also the sister patch, debian/cpan_definstalldirs . + +--- + lib/CPANPLUS/Config/System.pm | 30 ++++++++++++++++++++++++++++++ + 1 files changed, 30 insertions(+), 0 deletions(-) + +diff --git a/lib/CPANPLUS/Config/System.pm b/lib/CPANPLUS/Config/System.pm +new file mode 100644 +index 0000000..5e6e11e +--- /dev/null ++++ b/lib/CPANPLUS/Config/System.pm +@@ -0,0 +1,30 @@ ++### minimal pod, so you can find it with perldoc -l, etc ++=pod ++ ++=head1 NAME ++ ++CPANPLUS::Config::System ++ ++=head1 DESCRIPTION ++ ++This is a CPANPLUS configuration file that sets appropriate default ++settings on Debian systems. ++ ++The only preconfigured settings are C<makemakerflags> (set to ++C<INSTALLDIRS=site>) and C<buildflags> (set to C<--installdirs site>). ++ ++These settings will not have any effect if ++C</etc/perl/CPANPLUS/Config/System.pm> is present. ++ ++=cut ++ ++ ++package CPANPLUS::Config::System; ++ ++sub setup { ++ my $conf = shift; ++ $conf->set_conf( makemakerflags => 'INSTALLDIRS=site' ); ++ $conf->set_conf( buildflags => '--installdirs site' ); ++} ++ ++1; +-- +tg: (71b2123..) debian/cpanplus_definstalldirs (depends on: upstream) only in patch2: unchanged: --- perl-5.10.0.orig/debian/patches/41_map_memleak.diff +++ perl-5.10.0/debian/patches/41_map_memleak.diff @@ -0,0 +1,111 @@ +From: Niko Tyni <nt...@debian.org> +Subject: fix a memory leak with the map operator +Closes: 528332 + +[perl #53038] +maint-5.10 commit 8293631c04365e5d81c3bb948898f139d2f340ff + + +--- + XSUB.h | 4 ++-- + perl.h | 8 ++++++-- + pp_ctl.c | 6 +++--- + pp_hot.c | 2 +- + regexec.c | 2 +- + 5 files changed, 13 insertions(+), 9 deletions(-) + +diff --git a/XSUB.h b/XSUB.h +index a149115..6f70d6b 100644 +--- a/XSUB.h ++++ b/XSUB.h +@@ -364,10 +364,10 @@ Rethrows a previously caught exception. See L<perlguts/"Exception Handling">. + SAVETMPS ; \ + SAVEINT(db->filtering) ; \ + db->filtering = TRUE ; \ +- SAVESPTR(DEFSV) ; \ ++ SAVE_DEFSV ; \ + if (name[7] == 's') \ + arg = newSVsv(arg); \ +- DEFSV = arg ; \ ++ DEFSV_set(arg) ; \ + SvTEMP_off(arg) ; \ + PUSHMARK(SP) ; \ + PUTBACK ; \ +diff --git a/perl.h b/perl.h +index e48f768..96e9c6b 100644 +--- a/perl.h ++++ b/perl.h +@@ -1287,8 +1287,12 @@ EXTERN_C char *crypt(const char *, const char *); + #endif + + #define ERRSV GvSV(PL_errgv) +-/* FIXME? Change the assignments to PL_defgv to instantiate GvSV? */ +-#define DEFSV GvSVn(PL_defgv) ++#ifdef PERL_CORE ++# define DEFSV (0 + GvSVn(PL_defgv)) ++#else ++# define DEFSV GvSVn(PL_defgv) ++#endif ++#define DEFSV_set(sv) (GvSV(PL_defgv) = (sv)) + #define SAVE_DEFSV SAVESPTR(GvSV(PL_defgv)) + + #define ERRHV GvHV(PL_errgv) /* XXX unused, here for compatibility */ +diff --git a/pp_ctl.c b/pp_ctl.c +index 64157f3..4e75ccb 100644 +--- a/pp_ctl.c ++++ b/pp_ctl.c +@@ -947,7 +947,7 @@ PP(pp_grepstart) + if (PL_op->op_private & OPpGREP_LEX) + PAD_SVl(PL_op->op_targ) = src; + else +- DEFSV = src; ++ DEFSV_set(src); + + PUTBACK; + if (PL_op->op_type == OP_MAPSTART) +@@ -1058,7 +1058,7 @@ PP(pp_mapwhile) + if (PL_op->op_private & OPpGREP_LEX) + PAD_SVl(PL_op->op_targ) = src; + else +- DEFSV = src; ++ DEFSV_set(src); + + RETURNOP(cLOGOP->op_other); + } +@@ -4684,7 +4684,7 @@ S_run_user_filter(pTHX_ int idx, SV *buf_sv, int maxlen) + SAVETMPS; + EXTEND(SP, 2); + +- DEFSV = upstream; ++ DEFSV_set(upstream); + PUSHMARK(SP); + PUSHs(sv_2mortal(newSViv(0))); + if (filter_state) { +diff --git a/pp_hot.c b/pp_hot.c +index 57fa328..2dcbd24 100644 +--- a/pp_hot.c ++++ b/pp_hot.c +@@ -2395,7 +2395,7 @@ PP(pp_grepwhile) + if (PL_op->op_private & OPpGREP_LEX) + PAD_SVl(PL_op->op_targ) = src; + else +- DEFSV = src; ++ DEFSV_set(src); + + RETURNOP(cLOGOP->op_other); + } +diff --git a/regexec.c b/regexec.c +index a02a0c0..b839b32 100644 +--- a/regexec.c ++++ b/regexec.c +@@ -2230,7 +2230,7 @@ S_regtry(pTHX_ regmatch_info *reginfo, char **startpos) + /* Make $_ available to executed code. */ + if (reginfo->sv != DEFSV) { + SAVE_DEFSV; +- DEFSV = reginfo->sv; ++ DEFSV_set(reginfo->sv); + } + + if (!(SvTYPE(reginfo->sv) >= SVt_PVMG && SvMAGIC(reginfo->sv) +-- +tg: (71b2123..) fixes/map-memleak (depends on: upstream) only in patch2: unchanged: --- perl-5.10.0.orig/debian/patches/74_debian_cpanplus_config_path +++ perl-5.10.0/debian/patches/74_debian_cpanplus_config_path @@ -0,0 +1,43 @@ +From: Niko Tyni <nt...@debian.org> +Subject: Save local versions of CPANPLUS::Config::System into /etc/perl. + +This is a configuration file and needs to go in /etc by policy. +Besides, /usr may not even be writable. + +This mirrors the Debian setup of CPAN.pm in debian/cpan_config_path. + +See #533707. + +--- + lib/CPANPLUS/Configure.pm | 1 + + lib/CPANPLUS/Internals/Constants.pm | 3 +++ + 2 files changed, 4 insertions(+), 0 deletions(-) + +diff --git a/lib/CPANPLUS/Configure.pm b/lib/CPANPLUS/Configure.pm +index d890d1c..b23cc7c 100644 +--- a/lib/CPANPLUS/Configure.pm ++++ b/lib/CPANPLUS/Configure.pm +@@ -242,6 +242,7 @@ Saves the configuration to the package name you provided. + If this package is not C<CPANPLUS::Config::System>, it will + be saved in your C<.cpanplus> directory, otherwise it will + be attempted to be saved in the system wide directory. ++(On Debian systems, this system wide directory is /etc/perl.) + + If no argument is provided, it will default to your personal + config. +diff --git a/lib/CPANPLUS/Internals/Constants.pm b/lib/CPANPLUS/Internals/Constants.pm +index bfd4439..81136fb 100644 +--- a/lib/CPANPLUS/Internals/Constants.pm ++++ b/lib/CPANPLUS/Internals/Constants.pm +@@ -185,6 +185,9 @@ use constant CONFIG_USER_FILE => sub { + ) . '.pm'; + }; + use constant CONFIG_SYSTEM_FILE => sub { ++ # Debian-specific shortcut ++ return '/etc/perl/CPANPLUS/Config/System.pm'; ++ + require CPANPLUS::Internals; + require File::Basename; + my $dir = File::Basename::dirname( +-- +tg: (71b2123..) debian/cpanplus_config_path (depends on: upstream)