[Bug 760472] New: Upgrade to new upstream version
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. Summary: Upgrade to new upstream version https://bugzilla.redhat.com/show_bug.cgi?id=760472 Summary: Upgrade to new upstream version Product: Fedora EPEL Version: el6 Platform: Unspecified OS/Version: Unspecified Status: NEW Severity: unspecified Priority: unspecified Component: perl-Directory-Queue AssignedTo: steve.tray...@cern.ch ReportedBy: lionel.c...@cern.ch QAContact: extras...@fedoraproject.org CC: fedora-perl-devel-l...@redhat.com, steve.tray...@cern.ch Classification: Fedora Story Points: --- Type: --- The latest version of Directory::Queue on CPAN is now 1.4. This is the version to use everywhere. Please upgrade in EPEL. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-PAR-Packer] Poke icon cache
commit 732f3f20607882f269ca2e9c3e34d4f41af0836f Author: Petr Písař ppi...@redhat.com Date: Tue Dec 6 11:17:33 2011 +0100 Poke icon cache perl-PAR-Packer.spec | 18 +- 1 files changed, 17 insertions(+), 1 deletions(-) --- diff --git a/perl-PAR-Packer.spec b/perl-PAR-Packer.spec index 112659b..14beef8 100644 --- a/perl-PAR-Packer.spec +++ b/perl-PAR-Packer.spec @@ -1,6 +1,6 @@ Name: perl-PAR-Packer Version:1.012 -Release:1%{?dist} +Release:2%{?dist} Summary:PAR Packager License:GPL+ or Artistic Group: Development/Libraries @@ -82,6 +82,19 @@ desktop-file-install \ %check make test +# Sctipts needed for icon cache management +%post Tk +/bin/touch --no-create %{_datadir}/icons/hicolor /dev/null || : + +%postun Tk +if [ $1 -eq 0 ] ; then +/bin/touch --no-create %{_datadir}/icons/hicolor /dev/null +/usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor /dev/null || : +fi + +%posttrans Tk +/usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor /dev/null || : + %files %doc AUTHORS ChangeLog README TODO @@ -102,6 +115,9 @@ make test %changelog +* Tue Dec 06 2011 Petr Pisar ppi...@redhat.com - 1.012-2 +- Poke icon cache + * Mon Dec 05 2011 Petr Pisar ppi...@redhat.com - 1.012-1 - 1.012 bump -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-PAR/f16] Fix CVE-2011-4114
commit b45cffe68b4e5e6f1920e5138b4c04c338b07210 Author: Petr Písař ppi...@redhat.com Date: Thu Dec 1 15:46:19 2011 +0100 Fix CVE-2011-4114 perl-PAR-1.002-CVE-2011-4114.patch | 89 perl-PAR.spec | 10 - 2 files changed, 98 insertions(+), 1 deletions(-) --- diff --git a/perl-PAR-1.002-CVE-2011-4114.patch b/perl-PAR-1.002-CVE-2011-4114.patch new file mode 100644 index 000..4db8a94 --- /dev/null +++ b/perl-PAR-1.002-CVE-2011-4114.patch @@ -0,0 +1,89 @@ +Fix CVE-2011-4114 + +From: r1305 | rschupp | 2011-11-28 17:39:44 +0100 (Po, 28 lis 2011) | 7 lines +RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and +predictable temporary directories +- create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 +- if it already exists, check that (and bail out if not) + - it's not a symlink + - it's mode 0700 + - it's owned by USER + +Petr Pisar: Message wording adjustment from r1316 is included too. + +Index: lib/PAR/SetupTemp.pm +=== +--- lib/PAR/SetupTemp.pm (revision 1304) lib/PAR/SetupTemp.pm (revision 1305) +@@ -5,6 +5,8 @@ + use strict; + use warnings; + ++use Fcntl ':mode'; ++ + use PAR::SetupProgname; + + =head1 NAME +@@ -42,8 +44,9 @@ + } + + my $stmpdir = _get_par_user_tempdir(); ++die unable to create cache directory unless $stmpdir; ++ + require File::Spec; +-if (defined $stmpdir) { # it'd be quite bad if this was not the case + if (!$ENV{PAR_CLEAN} and my $mtime = (stat($PAR::SetupProgname::Progname))[9]) { + my $ctx = _get_digester(); + +@@ -71,8 +74,7 @@ + } + + $ENV{PAR_TEMP} = $stmpdir; +- mkdir $stmpdir, 0755; +-} # end if found a temp dir ++mkdir $stmpdir, 0700; + + $PARTemp = $1 if defined $ENV{PAR_TEMP} and $ENV{PAR_TEMP} =~ /(.+)/; + } +@@ -98,8 +100,25 @@ + next unless defined $path and -d $path and -w $path; + $temp_path = File::Spec-catdir($path, par-$username); + ($temp_path) = $temp_path =~ /^(.*)$/s; +-mkdir $temp_path, 0755; ++unless (mkdir($temp_path, 0700) || $!{EEXIST}) { ++ warn creation of private subdirectory $temp_path failed (errno=$!); ++ return; ++} + ++unless ($^O eq 'MSWin32') { ++my @st; ++unless (@st = lstat($temp_path)) { ++ warn stat of private subdirectory $temp_path failed (errno=$!); ++ return; ++} ++if (!S_ISDIR($st[2]) ++|| $st[4] != $ ++|| ($st[2] 0777) != 0700 ) { ++ warn private subdirectory $temp_path is unsafe; ++ return; ++} ++} ++ + last; + } + return $temp_path; + + +Index: lib/PAR/SetupTemp.pm +=== +--- lib/PAR/SetupTemp.pm (revision 1315) lib/PAR/SetupTemp.pm (revision 1316) +@@ -114,7 +114,7 @@ + if (!S_ISDIR($st[2]) + || $st[4] != $ + || ($st[2] 0777) != 0700 ) { +- warn private subdirectory $temp_path is unsafe; ++ warn private subdirectory $temp_path is unsafe (please remove it and retry your operation); + return; + } + } diff --git a/perl-PAR.spec b/perl-PAR.spec index 1c98bed..23a6f2a 100644 --- a/perl-PAR.spec +++ b/perl-PAR.spec @@ -1,11 +1,13 @@ Name: perl-PAR Version:1.002 -Release:4%{?dist} +Release:5%{?dist} Summary:Perl Archive Toolkit License:GPL+ or Artistic Group: Development/Libraries URL:http://search.cpan.org/dist/PAR/ Source0: http://www.cpan.org/authors/id/S/SM/SMUELLER/PAR-%{version}.tar.gz +# Fix CVE-2011-4114, bug #760132, included in upstream 1.004. +Patch0: perl-PAR-1.002-CVE-2011-4114.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch BuildRequires: perl(Archive::Zip) = 1 @@ -23,6 +25,7 @@ libraries from which Perl modules can be loaded. %prep %setup -q -n PAR-%{version} +%patch0 -p0 %build %{__perl} Makefile.PL INSTALLDIRS=vendor @@ -39,7 +42,9 @@ find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2/dev/null \; %{_fixperms} $RPM_BUILD_ROOT/* %check +export TEMP=$(mktemp -d) make test +rm -rf $TEMP %clean rm -rf $RPM_BUILD_ROOT @@ -51,6 +56,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/* %changelog +* Thu Dec 01 2011 Petr Pisar ppi...@redhat.com - 1.002-5 +- Fix CVE-2011-4114 (insecure temporary directory handling) (bug #760132) + * Tue Jul 19 2011 Petr Sabata con...@redhat.com - 1.002-4 - Perl mass rebuild -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-PAR/f15] Fix CVE-2011-4114
commit 29555072e8e22a681a67c4046d2dd76a1e0eac27 Author: Petr Písař ppi...@redhat.com Date: Thu Dec 1 15:46:19 2011 +0100 Fix CVE-2011-4114 perl-PAR-1.002-CVE-2011-4114.patch | 89 perl-PAR.spec | 10 - 2 files changed, 98 insertions(+), 1 deletions(-) --- diff --git a/perl-PAR-1.002-CVE-2011-4114.patch b/perl-PAR-1.002-CVE-2011-4114.patch new file mode 100644 index 000..4db8a94 --- /dev/null +++ b/perl-PAR-1.002-CVE-2011-4114.patch @@ -0,0 +1,89 @@ +Fix CVE-2011-4114 + +From: r1305 | rschupp | 2011-11-28 17:39:44 +0100 (Po, 28 lis 2011) | 7 lines +RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and +predictable temporary directories +- create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 +- if it already exists, check that (and bail out if not) + - it's not a symlink + - it's mode 0700 + - it's owned by USER + +Petr Pisar: Message wording adjustment from r1316 is included too. + +Index: lib/PAR/SetupTemp.pm +=== +--- lib/PAR/SetupTemp.pm (revision 1304) lib/PAR/SetupTemp.pm (revision 1305) +@@ -5,6 +5,8 @@ + use strict; + use warnings; + ++use Fcntl ':mode'; ++ + use PAR::SetupProgname; + + =head1 NAME +@@ -42,8 +44,9 @@ + } + + my $stmpdir = _get_par_user_tempdir(); ++die unable to create cache directory unless $stmpdir; ++ + require File::Spec; +-if (defined $stmpdir) { # it'd be quite bad if this was not the case + if (!$ENV{PAR_CLEAN} and my $mtime = (stat($PAR::SetupProgname::Progname))[9]) { + my $ctx = _get_digester(); + +@@ -71,8 +74,7 @@ + } + + $ENV{PAR_TEMP} = $stmpdir; +- mkdir $stmpdir, 0755; +-} # end if found a temp dir ++mkdir $stmpdir, 0700; + + $PARTemp = $1 if defined $ENV{PAR_TEMP} and $ENV{PAR_TEMP} =~ /(.+)/; + } +@@ -98,8 +100,25 @@ + next unless defined $path and -d $path and -w $path; + $temp_path = File::Spec-catdir($path, par-$username); + ($temp_path) = $temp_path =~ /^(.*)$/s; +-mkdir $temp_path, 0755; ++unless (mkdir($temp_path, 0700) || $!{EEXIST}) { ++ warn creation of private subdirectory $temp_path failed (errno=$!); ++ return; ++} + ++unless ($^O eq 'MSWin32') { ++my @st; ++unless (@st = lstat($temp_path)) { ++ warn stat of private subdirectory $temp_path failed (errno=$!); ++ return; ++} ++if (!S_ISDIR($st[2]) ++|| $st[4] != $ ++|| ($st[2] 0777) != 0700 ) { ++ warn private subdirectory $temp_path is unsafe; ++ return; ++} ++} ++ + last; + } + return $temp_path; + + +Index: lib/PAR/SetupTemp.pm +=== +--- lib/PAR/SetupTemp.pm (revision 1315) lib/PAR/SetupTemp.pm (revision 1316) +@@ -114,7 +114,7 @@ + if (!S_ISDIR($st[2]) + || $st[4] != $ + || ($st[2] 0777) != 0700 ) { +- warn private subdirectory $temp_path is unsafe; ++ warn private subdirectory $temp_path is unsafe (please remove it and retry your operation); + return; + } + } diff --git a/perl-PAR.spec b/perl-PAR.spec index 4b1d46f..f426506 100644 --- a/perl-PAR.spec +++ b/perl-PAR.spec @@ -1,11 +1,13 @@ Name: perl-PAR Version:1.002 -Release:3%{?dist} +Release:4%{?dist} Summary:Perl Archive Toolkit License:GPL+ or Artistic Group: Development/Libraries URL:http://search.cpan.org/dist/PAR/ Source0: http://www.cpan.org/authors/id/S/SM/SMUELLER/PAR-%{version}.tar.gz +# Fix CVE-2011-4114, bug #760132, included in upstream 1.004. +Patch0: perl-PAR-1.002-CVE-2011-4114.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch BuildRequires: perl(Archive::Zip) = 1 @@ -23,6 +25,7 @@ libraries from which Perl modules can be loaded. %prep %setup -q -n PAR-%{version} +%patch0 -p0 %build %{__perl} Makefile.PL INSTALLDIRS=vendor @@ -39,7 +42,9 @@ find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2/dev/null \; %{_fixperms} $RPM_BUILD_ROOT/* %check +export TEMP=$(mktemp -d) make test +rm -rf $TEMP %clean rm -rf $RPM_BUILD_ROOT @@ -51,6 +56,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/* %changelog +* Thu Dec 01 2011 Petr Pisar ppi...@redhat.com - 1.002-4 +- Fix CVE-2011-4114 (insecure temporary directory handling) (bug #760132) + * Tue Feb 08 2011 Fedora Release Engineering rel-...@lists.fedoraproject.org - 1.002-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-PAR/f14] Fix CVE-2011-4114
commit e9c31e5fe012574693edcec484ad502c46db34a2 Author: Petr Písař ppi...@redhat.com Date: Thu Dec 1 15:46:19 2011 +0100 Fix CVE-2011-4114 perl-PAR-1.002-CVE-2011-4114.patch | 89 perl-PAR.spec | 10 - 2 files changed, 98 insertions(+), 1 deletions(-) --- diff --git a/perl-PAR-1.002-CVE-2011-4114.patch b/perl-PAR-1.002-CVE-2011-4114.patch new file mode 100644 index 000..4db8a94 --- /dev/null +++ b/perl-PAR-1.002-CVE-2011-4114.patch @@ -0,0 +1,89 @@ +Fix CVE-2011-4114 + +From: r1305 | rschupp | 2011-11-28 17:39:44 +0100 (Po, 28 lis 2011) | 7 lines +RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and +predictable temporary directories +- create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 +- if it already exists, check that (and bail out if not) + - it's not a symlink + - it's mode 0700 + - it's owned by USER + +Petr Pisar: Message wording adjustment from r1316 is included too. + +Index: lib/PAR/SetupTemp.pm +=== +--- lib/PAR/SetupTemp.pm (revision 1304) lib/PAR/SetupTemp.pm (revision 1305) +@@ -5,6 +5,8 @@ + use strict; + use warnings; + ++use Fcntl ':mode'; ++ + use PAR::SetupProgname; + + =head1 NAME +@@ -42,8 +44,9 @@ + } + + my $stmpdir = _get_par_user_tempdir(); ++die unable to create cache directory unless $stmpdir; ++ + require File::Spec; +-if (defined $stmpdir) { # it'd be quite bad if this was not the case + if (!$ENV{PAR_CLEAN} and my $mtime = (stat($PAR::SetupProgname::Progname))[9]) { + my $ctx = _get_digester(); + +@@ -71,8 +74,7 @@ + } + + $ENV{PAR_TEMP} = $stmpdir; +- mkdir $stmpdir, 0755; +-} # end if found a temp dir ++mkdir $stmpdir, 0700; + + $PARTemp = $1 if defined $ENV{PAR_TEMP} and $ENV{PAR_TEMP} =~ /(.+)/; + } +@@ -98,8 +100,25 @@ + next unless defined $path and -d $path and -w $path; + $temp_path = File::Spec-catdir($path, par-$username); + ($temp_path) = $temp_path =~ /^(.*)$/s; +-mkdir $temp_path, 0755; ++unless (mkdir($temp_path, 0700) || $!{EEXIST}) { ++ warn creation of private subdirectory $temp_path failed (errno=$!); ++ return; ++} + ++unless ($^O eq 'MSWin32') { ++my @st; ++unless (@st = lstat($temp_path)) { ++ warn stat of private subdirectory $temp_path failed (errno=$!); ++ return; ++} ++if (!S_ISDIR($st[2]) ++|| $st[4] != $ ++|| ($st[2] 0777) != 0700 ) { ++ warn private subdirectory $temp_path is unsafe; ++ return; ++} ++} ++ + last; + } + return $temp_path; + + +Index: lib/PAR/SetupTemp.pm +=== +--- lib/PAR/SetupTemp.pm (revision 1315) lib/PAR/SetupTemp.pm (revision 1316) +@@ -114,7 +114,7 @@ + if (!S_ISDIR($st[2]) + || $st[4] != $ + || ($st[2] 0777) != 0700 ) { +- warn private subdirectory $temp_path is unsafe; ++ warn private subdirectory $temp_path is unsafe (please remove it and retry your operation); + return; + } + } diff --git a/perl-PAR.spec b/perl-PAR.spec index fa7d29d..9d42f87 100644 --- a/perl-PAR.spec +++ b/perl-PAR.spec @@ -1,11 +1,13 @@ Name: perl-PAR Version:1.000 -Release:2%{?dist} +Release:3%{?dist} Summary:Perl Archive Toolkit License:GPL+ or Artistic Group: Development/Libraries URL:http://search.cpan.org/dist/PAR/ Source0: http://www.cpan.org/authors/id/S/SM/SMUELLER/PAR-%{version}.tar.gz +# Fix CVE-2011-4114, bug #760132, included in upstream 1.004. +Patch0: perl-PAR-1.002-CVE-2011-4114.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch BuildRequires: perl(Archive::Zip) = 1 @@ -23,6 +25,7 @@ libraries from which Perl modules can be loaded. %prep %setup -q -n PAR-%{version} +%patch0 -p0 %build %{__perl} Makefile.PL INSTALLDIRS=vendor @@ -39,7 +42,9 @@ find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2/dev/null \; %{_fixperms} $RPM_BUILD_ROOT/* %check +export TEMP=$(mktemp -d) make test +rm -rf $TEMP %clean rm -rf $RPM_BUILD_ROOT @@ -51,6 +56,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/* %changelog +* Thu Dec 01 2011 Petr Pisar ppi...@redhat.com - 1.000-3 +- Fix CVE-2011-4114 (insecure temporary directory handling) (bug #760132) + * Tue Aug 24 2010 Adam Tkac atkac redhat com - 1.000-2 - rebuild -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-PAR-Packer/f16] Fix CVE-2011-4114
commit caf5df098adb318c914803819bd550b6c2c17ab6 Author: Petr Písař ppi...@redhat.com Date: Tue Dec 6 15:11:15 2011 +0100 Fix CVE-2011-4114 perl-PAR-Packer-1.010-CVE-2011-4114.patch | 84 + perl-PAR-Packer.spec |8 +++- 2 files changed, 91 insertions(+), 1 deletions(-) --- diff --git a/perl-PAR-Packer-1.010-CVE-2011-4114.patch b/perl-PAR-Packer-1.010-CVE-2011-4114.patch new file mode 100644 index 000..b951322 --- /dev/null +++ b/perl-PAR-Packer-1.010-CVE-2011-4114.patch @@ -0,0 +1,84 @@ +From 9aa3d40e0b24bbd3dfa5d51198ffc289fa901c9f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= ppi...@redhat.com +Date: Tue, 6 Dec 2011 14:22:04 +0100 +Subject: [PATCH] Fix CVE-2011-4114 ported for 1.010. + +From: r1296 | rschupp | 2011-11-14 21:01:18 +0100 (Po, 14 lis 2011) | 11 lines + +myldr/mktmpdir.c: +- (par_mktmpdir) CVE-2011-4114: + - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700 + - if it already exists, check that (and bail out if not) +- it's not a symlink +- it's mode 0700 +- it's owned by USER + +NOTE: PAR contains a copy of par_mktmpdir (in Perl); this +must be fixed as well and we must require the fixed version. + +Adjusted error message from r1313 is included. +--- + myldr/mktmpdir.c | 38 +++--- + 1 files changed, 35 insertions(+), 3 deletions(-) + +diff --git a/myldr/mktmpdir.c b/myldr/mktmpdir.c +index 6699831..2293268 100644 +--- a/myldr/mktmpdir.c b/myldr/mktmpdir.c +@@ -161,10 +161,42 @@ char *par_mktmpdir ( char **argv ) { +stmpdir2 is the top $TEMP/par-$USER, needed to build stmpdir. We +need 2 buffers because snprintf() can't write to a buffer it's +reading from. */ +-stmpdir = malloc( stmp_len ); + stmpdir2 = malloc( stmp_len ); + sprintf(stmpdir2, %s%s%s%s, tmpdir, dir_sep, subdirbuf_prefix, username); +-my_mkdir(stmpdir2, 0755); ++#ifdef WIN32 ++_mkdir(stmpdir2); /* FIXME bail if error (other than EEXIST) */ ++#else ++{ ++struct stat st; ++ ++if (mkdir(stmpdir2, 0700) == -1 errno != EEXIST) { ++fprintf(stderr, %s: creation of private subdirectory %s failed (errno=%i)\n, ++argv[0], stmpdir2, errno); ++return NULL; ++} ++ ++/* now check that: ++ * - stmpdir2 is a directory (and not a symlink) ++ * - stmpdir2 is owned by the user ++ * - stmpdir2 has mode 0700 ++ */ ++if (lstat(stmpdir2, st) == -1) { ++fprintf(stderr, %s: stat of private subdirectory %s failed (errno=%i)\n, ++argv[0], stmpdir2, errno); ++return NULL; ++} ++ ++if (!S_ISDIR(st.st_mode) ++|| st.st_uid != getuid() ++|| (st.st_mode 0777) != 0700 ) { ++fprintf(stderr, %s: private subdirectory %s is unsafe (please remove it and retry your operation)\n, ++argv[0], stmpdir2); ++return NULL; ++} ++} ++#endif ++ ++stmpdir = malloc( stmp_len ); + + /* Doesn't really work - XXX */ + val = par_getenv( PATH ); +@@ -250,7 +282,7 @@ char *par_mktmpdir ( char **argv ) { +a prior invocation crashed leaving garbage in a temp directory that +might interfere. */ + +-while (my_mkdir(stmpdir, 0755) == -1 errno == EEXIST) { ++while (my_mkdir(stmpdir, 0700) == -1 errno == EEXIST) { + sprintf( + stmpdir, + %s%stemp-%u-%u%s, +-- +1.7.7.4 + diff --git a/perl-PAR-Packer.spec b/perl-PAR-Packer.spec index a3299c1..9d00be7 100644 --- a/perl-PAR-Packer.spec +++ b/perl-PAR-Packer.spec @@ -1,11 +1,13 @@ Name: perl-PAR-Packer Version:1.010 -Release:2%{?dist} +Release:3%{?dist} Summary:PAR Packager License:GPL+ or Artistic Group: Development/Libraries URL:http://search.cpan.org/dist/PAR-Packer/ Source0: http://www.cpan.org/authors/id/R/RS/RSCHUPP/PAR-Packer-%{version}.tar.gz +# Fix CVE-2011-4114, bug #753957, included in upstream 1.011. +Patch0: perl-PAR-Packer-1.010-CVE-2011-4114.patch BuildRequires: perl(Archive::Zip) = 1 BuildRequires: perl(Compress::Zlib) = 1.3 BuildRequires: perl(ExtUtils::MakeMaker) @@ -24,6 +26,7 @@ stand-alone executables, perl scripts and PAR files. %prep %setup -q -n PAR-Packer-%{version} +%patch0 -p1 %build # DEBUG variable needed to disable stripping binary @@ -58,6 +61,9 @@ export PAR_GLOBAL_TEMP=/var/tmp %{_mandir}/man3/* %changelog +* Tue Dec 06 2011 Petr Pisar ppi...@redhat.com - 1.010-3 +- Fix CVE-2011-4114 (insecure temporary directory handling) (bug #753957) + * Tue Jul 19 2011 Petr Sabata con...@redhat.com - 1.010-2 - Perl mass rebuild -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list
[Bug 753955] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753955 --- Comment #9 from Petr Pisar ppi...@redhat.com 2011-12-06 09:23:39 EST --- How to test: Create /tmp/par-$(USER) directory with 0777 mode (or owned by different user, or create an other user's symlink). Create a PAR archive from a perl script (pp --par SCRIPT). Test perl-PAR by running `perl -MPAR=./a.par SCRIPT'. Test perl-PAR-Packer by running `parl ./a.par'. For unknown reason, you might need perl-PAR-Packer to get running SCRIPT from ./a.par by -MPAR=. For unknown reason, old parl might not work because of perl version mismatch. (This becomes fixed after rebuilding old perl-PAR-Packer against current perl.) -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 760132] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all]
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=760132 --- Comment #4 from Fedora Update System upda...@fedoraproject.org 2011-12-06 10:03:22 EST --- perl-PAR-1.002-4.fc15,perl-PAR-Packer-1.008-4.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/perl-PAR-1.002-4.fc15,perl-PAR-Packer-1.008-4.fc15 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 760132] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all]
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=760132 --- Comment #3 from Fedora Update System upda...@fedoraproject.org 2011-12-06 10:01:15 EST --- perl-PAR-1.002-5.fc16,perl-PAR-Packer-1.010-3.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/perl-PAR-1.002-5.fc16,perl-PAR-Packer-1.010-3.fc16 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753957] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all]
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753957 --- Comment #2 from Fedora Update System upda...@fedoraproject.org 2011-12-06 10:01:22 EST --- perl-PAR-1.002-5.fc16,perl-PAR-Packer-1.010-3.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/perl-PAR-1.002-5.fc16,perl-PAR-Packer-1.010-3.fc16 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 760132] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all]
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=760132 --- Comment #5 from Fedora Update System upda...@fedoraproject.org 2011-12-06 10:04:01 EST --- perl-PAR-1.000-3.fc14,perl-PAR-Packer-1.005-4.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/perl-PAR-1.000-3.fc14,perl-PAR-Packer-1.005-4.fc14 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753957] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all]
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753957 --- Comment #4 from Fedora Update System upda...@fedoraproject.org 2011-12-06 10:04:06 EST --- perl-PAR-1.000-3.fc14,perl-PAR-Packer-1.005-4.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/perl-PAR-1.000-3.fc14,perl-PAR-Packer-1.005-4.fc14 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753957] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all]
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753957 --- Comment #3 from Fedora Update System upda...@fedoraproject.org 2011-12-06 10:03:28 EST --- perl-PAR-1.002-4.fc15,perl-PAR-Packer-1.008-4.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/perl-PAR-1.002-4.fc15,perl-PAR-Packer-1.008-4.fc15 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
Re: perl-Env-C: review and sponsor request
On 12/02/2011 04:34 PM, Jan Kasprzak wrote: Hello, Fedora Perl developers! I use both Perl and Fedora extensively at work, and I have decided that we should try to migrate from locally-compiled Perl to the Perl from Fedora. This includes building all the CPAN modules we depend on as RPMs. So far I have about 10 CPAN modules packaged and buildable in mock, and checked with rpmlint (no errors, some bogus spelling warnings). I want to contribute these packages to Fedora. In order to learn the whole packaging process, I have decided to start with one package, Env::C. The review request is here: https://bugzilla.redhat.com/show_bug.cgi?id=757156 The other packages I have are the following: Authen::DecHpwd Authen::PassPhrase Crypt::MySQL Crypt::UnixCrypt_XS Data::Entropy Data::Float Data::Integer DBD::ODBC IO::Socket::Multicast Scalar::String TeX::Encode I plan to create review requests for these packages after getting the first module (Env::C) to Fedora. Sincerely, -Jan Kasprzak Welcome to Perl packaging for Fedora. Paul (one of sponsors) was already looking at your review, but because of license it could take more time. Could you prepare something else from your list? It might be faster to get sponsored on other reviews if this got stalled. Best regards, Marcela Mašláňová BaseOS team Brno -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
Re: perl-Env-C: review and sponsor request
Marcela Mašláňová wrote: : On 12/02/2011 04:34 PM, Jan Kasprzak wrote: : Welcome to Perl packaging for Fedora. : : Paul (one of sponsors) was already looking at your review, but because : of license it could take more time. Could you prepare something else : from your list? It might be faster to get sponsored on other reviews if : this got stalled. Yes. I have uploaded all the .specs and src.rpms I have to http://www.fi.muni.cz/~kas/tmp/fedora-packages/. I can submit a review request for some of them (do you want to pick up one or two?). There are two problems with the above packages: 1) the directory ownership of %perl_vendorarch, which cpanspec generates differently than required by Packaging guidelines (see https://bugzilla.redhat.com/show_bug.cgi?id=757156#c1 for details). I will fix it tomorrow. 2) some of the packages from this batch depend on others (I think Authen::Passphrase is the topmost one), so in order to built them in mock, either a separate yum repository for these packages has to be created, or they have to be installed into mock chroot and mock --no-clean should be used. I think perl-TeX-Encode and perl-IO-Socket-Multicast are standalone packages. Thanks, -Yenya -- | Jan Yenya Kasprzak kas at {fi.muni.cz - work | yenya.net - private} | | GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E | | http://www.fi.muni.cz/~kas/Journal: http://www.fi.muni.cz/~kas/blog/ | Please don't top post and in particular don't attach entire digests to your mail or we'll all soon be using bittorrent to read the list. --Alan Cox -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel