From c161d7d7375798dbd0cc3e174cd7bfe3e5ad1b2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> Date: Tue, 12 Jan 2016 09:52:19 +0100 Subject: 3.62 bump
--- .gitignore | 1 + ...nsure-File-Spec-canonpath-preserves-taint.patch | 71 ---------------------- perl-PathTools.spec | 10 +-- sources | 2 +- 4 files changed, 7 insertions(+), 77 deletions(-) delete mode 100644 perl-5.23.6-ensure-File-Spec-canonpath-preserves-taint.patch diff --git a/.gitignore b/.gitignore index c6000cd..b536e2e 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /PathTools-3.47.tar.gz /PathTools-3.59.tar.gz /PathTools-3.60.tar.gz +/PathTools-3.62.tar.gz diff --git a/perl-5.23.6-ensure-File-Spec-canonpath-preserves-taint.patch b/perl-5.23.6-ensure-File-Spec-canonpath-preserves-taint.patch deleted file mode 100644 index da935ce..0000000 --- a/perl-5.23.6-ensure-File-Spec-canonpath-preserves-taint.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 0b6f93036de171c12ba95d415e264d9cf7f4e1fd Mon Sep 17 00:00:00 2001 -From: Tony Cook <t...@develop-help.com> -Date: Tue, 15 Dec 2015 10:56:54 +1100 -Subject: [PATCH] ensure File::Spec::canonpath() preserves taint -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Previously the unix specific XS implementation of canonpath() would -return an untainted path when supplied a tainted path. - -For the empty string case, newSVpvs() already sets taint as needed on -its result. - -This issue was assigned CVE-2015-8607. [perl #126862] - -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - dist/PathTools/Cwd.xs | 1 + - dist/PathTools/t/taint.t | 19 ++++++++++++++++++- - 2 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs -index 9d4dcf0..3d018dc 100644 ---- a/dist/PathTools/Cwd.xs -+++ b/dist/PathTools/Cwd.xs -@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path) - *o = 0; - SvPOK_on(retval); - SvCUR_set(retval, o - SvPVX(retval)); -+ SvTAINT(retval); - return retval; - } - -diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t -index 309b3e5..48f8c5b 100644 ---- a/dist/PathTools/t/taint.t -+++ b/dist/PathTools/t/taint.t -@@ -12,7 +12,7 @@ use Test::More; - BEGIN { - plan( - ${^TAINT} -- ? (tests => 17) -+ ? (tests => 21) - : (skip_all => "A perl without taint support") - ); - } -@@ -34,3 +34,20 @@ foreach my $func (@Functions) { - - # Previous versions of Cwd tainted $^O - is !tainted($^O), 1, "\$^O should not be tainted"; -+ -+{ -+ # [perl #126862] canonpath() loses taint -+ my $tainted = substr($ENV{PATH}, 0, 0); -+ # yes, getcwd()'s result should be tainted, and is tested above -+ # but be sure -+ ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)), -+ "canonpath() keeps taint on non-empty string"; -+ ok tainted(File::Spec->canonpath($tainted)), -+ "canonpath() keeps taint on empty string"; -+ -+ (Cwd::getcwd() =~ /^(.*)/); -+ my $untainted = $1; -+ ok !tainted($untainted), "make sure our untainted value is untainted"; -+ ok !tainted(File::Spec->canonpath($untainted)), -+ "canonpath() doesn't add taint to untainted string"; -+} --- -2.5.0 - diff --git a/perl-PathTools.spec b/perl-PathTools.spec index 50ceec4..34a777f 100644 --- a/perl-PathTools.spec +++ b/perl-PathTools.spec @@ -1,6 +1,6 @@ Name: perl-PathTools -Version: 3.60 -Release: 2%{?dist} +Version: 3.62 +Release: 1%{?dist} Summary: PathTools Perl module (Cwd, File::Spec) License: (GPL+ or Artistic) and BSD Group: Development/Libraries @@ -8,8 +8,6 @@ URL: http://search.cpan.org/dist/PathTools/ Source0: http://www.cpan.org/authors/id/R/RJ/RJBS/PathTools-%{version}.tar.gz # Disable VMS test (bug #973713) Patch0: PathTools-3.47-Disable-VMS-tests.patch -# Fix CVE-2015-8607 (File::Spec::canonpath() loses tain), bug #1297455 -Patch1: perl-5.23.6-ensure-File-Spec-canonpath-preserves-taint.patch BuildRequires: coreutils BuildRequires: findutils BuildRequires: gcc @@ -45,7 +43,6 @@ This is the combined distribution for the File::Spec and Cwd modules. %prep %setup -q -n PathTools-%{version} %patch0 -p1 -%patch1 -p3 # Do not distribute File::Spec::VMS as it works on VMS only (bug #973713) rm lib/File/Spec/VMS.pm @@ -76,6 +73,9 @@ make test %{_mandir}/man3/* %changelog +* Tue Jan 12 2016 Petr Pisar <ppi...@redhat.com> - 3.62-1 +- 3.62 bump + * Mon Jan 11 2016 Petr Pisar <ppi...@redhat.com> - 3.60-2 - Fix CVE-2015-8607 (File::Spec::canonpath() loses tain) (bug #1297455) diff --git a/sources b/sources index cee9eef..e37fd65 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -0251a2b9529da8395be7c7a6a1cb400d PathTools-3.60.tar.gz +bfe148a89064078cf162504c30a4c41a PathTools-3.62.tar.gz -- cgit v0.11.2 http://pkgs.fedoraproject.org/cgit/perl-PathTools.git/commit/?h=f23&id=c161d7d7375798dbd0cc3e174cd7bfe3e5ad1b2f -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/perl-devel@lists.fedoraproject.org