[Bug 760472] New: Upgrade to new upstream version
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. Summary: Upgrade to new upstream version https://bugzilla.redhat.com/show_bug.cgi?id=760472 Summary: Upgrade to new upstream version Product: Fedora EPEL Version: el6 Platform: Unspecified OS/Version: Unspecified Status: NEW Severity: unspecified Priority: unspecified Component: perl-Directory-Queue AssignedTo: steve.tray...@cern.ch ReportedBy: lionel.c...@cern.ch QAContact: extras...@fedoraproject.org CC: fedora-perl-devel-l...@redhat.com, steve.tray...@cern.ch Classification: Fedora Story Points: --- Type: --- The latest version of Directory::Queue on CPAN is now 1.4. This is the version to use everywhere. Please upgrade in EPEL. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-PAR-Packer] Poke icon cache
commit 732f3f20607882f269ca2e9c3e34d4f41af0836f
Author: Petr Písař ppi...@redhat.com
Date: Tue Dec 6 11:17:33 2011 +0100
Poke icon cache
perl-PAR-Packer.spec | 18 +-
1 files changed, 17 insertions(+), 1 deletions(-)
---
diff --git a/perl-PAR-Packer.spec b/perl-PAR-Packer.spec
index 112659b..14beef8 100644
--- a/perl-PAR-Packer.spec
+++ b/perl-PAR-Packer.spec
@@ -1,6 +1,6 @@
Name: perl-PAR-Packer
Version:1.012
-Release:1%{?dist}
+Release:2%{?dist}
Summary:PAR Packager
License:GPL+ or Artistic
Group: Development/Libraries
@@ -82,6 +82,19 @@ desktop-file-install \
%check
make test
+# Sctipts needed for icon cache management
+%post Tk
+/bin/touch --no-create %{_datadir}/icons/hicolor /dev/null || :
+
+%postun Tk
+if [ $1 -eq 0 ] ; then
+/bin/touch --no-create %{_datadir}/icons/hicolor /dev/null
+/usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor /dev/null || :
+fi
+
+%posttrans Tk
+/usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor /dev/null || :
+
%files
%doc AUTHORS ChangeLog README TODO
@@ -102,6 +115,9 @@ make test
%changelog
+* Tue Dec 06 2011 Petr Pisar ppi...@redhat.com - 1.012-2
+- Poke icon cache
+
* Mon Dec 05 2011 Petr Pisar ppi...@redhat.com - 1.012-1
- 1.012 bump
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-PAR/f16] Fix CVE-2011-4114
commit b45cffe68b4e5e6f1920e5138b4c04c338b07210
Author: Petr Písař ppi...@redhat.com
Date: Thu Dec 1 15:46:19 2011 +0100
Fix CVE-2011-4114
perl-PAR-1.002-CVE-2011-4114.patch | 89
perl-PAR.spec | 10 -
2 files changed, 98 insertions(+), 1 deletions(-)
---
diff --git a/perl-PAR-1.002-CVE-2011-4114.patch
b/perl-PAR-1.002-CVE-2011-4114.patch
new file mode 100644
index 000..4db8a94
--- /dev/null
+++ b/perl-PAR-1.002-CVE-2011-4114.patch
@@ -0,0 +1,89 @@
+Fix CVE-2011-4114
+
+From: r1305 | rschupp | 2011-11-28 17:39:44 +0100 (Po, 28 lis 2011) | 7 lines
+RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and
+predictable temporary directories
+- create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+- if it already exists, check that (and bail out if not)
+ - it's not a symlink
+ - it's mode 0700
+ - it's owned by USER
+
+Petr Pisar: Message wording adjustment from r1316 is included too.
+
+Index: lib/PAR/SetupTemp.pm
+===
+--- lib/PAR/SetupTemp.pm (revision 1304)
lib/PAR/SetupTemp.pm (revision 1305)
+@@ -5,6 +5,8 @@
+ use strict;
+ use warnings;
+
++use Fcntl ':mode';
++
+ use PAR::SetupProgname;
+
+ =head1 NAME
+@@ -42,8 +44,9 @@
+ }
+
+ my $stmpdir = _get_par_user_tempdir();
++die unable to create cache directory unless $stmpdir;
++
+ require File::Spec;
+-if (defined $stmpdir) { # it'd be quite bad if this was not the case
+ if (!$ENV{PAR_CLEAN} and my $mtime =
(stat($PAR::SetupProgname::Progname))[9]) {
+ my $ctx = _get_digester();
+
+@@ -71,8 +74,7 @@
+ }
+
+ $ENV{PAR_TEMP} = $stmpdir;
+- mkdir $stmpdir, 0755;
+-} # end if found a temp dir
++mkdir $stmpdir, 0700;
+
+ $PARTemp = $1 if defined $ENV{PAR_TEMP} and $ENV{PAR_TEMP} =~ /(.+)/;
+ }
+@@ -98,8 +100,25 @@
+ next unless defined $path and -d $path and -w $path;
+ $temp_path = File::Spec-catdir($path, par-$username);
+ ($temp_path) = $temp_path =~ /^(.*)$/s;
+-mkdir $temp_path, 0755;
++unless (mkdir($temp_path, 0700) || $!{EEXIST}) {
++ warn creation of private subdirectory $temp_path failed (errno=$!);
++ return;
++}
+
++unless ($^O eq 'MSWin32') {
++my @st;
++unless (@st = lstat($temp_path)) {
++ warn stat of private subdirectory $temp_path failed (errno=$!);
++ return;
++}
++if (!S_ISDIR($st[2])
++|| $st[4] != $
++|| ($st[2] 0777) != 0700 ) {
++ warn private subdirectory $temp_path is unsafe;
++ return;
++}
++}
++
+ last;
+ }
+ return $temp_path;
+
+
+Index: lib/PAR/SetupTemp.pm
+===
+--- lib/PAR/SetupTemp.pm (revision 1315)
lib/PAR/SetupTemp.pm (revision 1316)
+@@ -114,7 +114,7 @@
+ if (!S_ISDIR($st[2])
+ || $st[4] != $
+ || ($st[2] 0777) != 0700 ) {
+- warn private subdirectory $temp_path is unsafe;
++ warn private subdirectory $temp_path is unsafe (please remove it
and retry your operation);
+ return;
+ }
+ }
diff --git a/perl-PAR.spec b/perl-PAR.spec
index 1c98bed..23a6f2a 100644
--- a/perl-PAR.spec
+++ b/perl-PAR.spec
@@ -1,11 +1,13 @@
Name: perl-PAR
Version:1.002
-Release:4%{?dist}
+Release:5%{?dist}
Summary:Perl Archive Toolkit
License:GPL+ or Artistic
Group: Development/Libraries
URL:http://search.cpan.org/dist/PAR/
Source0:
http://www.cpan.org/authors/id/S/SM/SMUELLER/PAR-%{version}.tar.gz
+# Fix CVE-2011-4114, bug #760132, included in upstream 1.004.
+Patch0: perl-PAR-1.002-CVE-2011-4114.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: perl(Archive::Zip) = 1
@@ -23,6 +25,7 @@ libraries from which Perl modules can be loaded.
%prep
%setup -q -n PAR-%{version}
+%patch0 -p0
%build
%{__perl} Makefile.PL INSTALLDIRS=vendor
@@ -39,7 +42,9 @@ find $RPM_BUILD_ROOT -depth -type d -exec rmdir {}
2/dev/null \;
%{_fixperms} $RPM_BUILD_ROOT/*
%check
+export TEMP=$(mktemp -d)
make test
+rm -rf $TEMP
%clean
rm -rf $RPM_BUILD_ROOT
@@ -51,6 +56,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man3/*
%changelog
+* Thu Dec 01 2011 Petr Pisar ppi...@redhat.com - 1.002-5
+- Fix CVE-2011-4114 (insecure temporary directory handling) (bug #760132)
+
* Tue Jul 19 2011 Petr Sabata con...@redhat.com - 1.002-4
- Perl mass rebuild
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-PAR/f15] Fix CVE-2011-4114
commit 29555072e8e22a681a67c4046d2dd76a1e0eac27
Author: Petr Písař ppi...@redhat.com
Date: Thu Dec 1 15:46:19 2011 +0100
Fix CVE-2011-4114
perl-PAR-1.002-CVE-2011-4114.patch | 89
perl-PAR.spec | 10 -
2 files changed, 98 insertions(+), 1 deletions(-)
---
diff --git a/perl-PAR-1.002-CVE-2011-4114.patch
b/perl-PAR-1.002-CVE-2011-4114.patch
new file mode 100644
index 000..4db8a94
--- /dev/null
+++ b/perl-PAR-1.002-CVE-2011-4114.patch
@@ -0,0 +1,89 @@
+Fix CVE-2011-4114
+
+From: r1305 | rschupp | 2011-11-28 17:39:44 +0100 (Po, 28 lis 2011) | 7 lines
+RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and
+predictable temporary directories
+- create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+- if it already exists, check that (and bail out if not)
+ - it's not a symlink
+ - it's mode 0700
+ - it's owned by USER
+
+Petr Pisar: Message wording adjustment from r1316 is included too.
+
+Index: lib/PAR/SetupTemp.pm
+===
+--- lib/PAR/SetupTemp.pm (revision 1304)
lib/PAR/SetupTemp.pm (revision 1305)
+@@ -5,6 +5,8 @@
+ use strict;
+ use warnings;
+
++use Fcntl ':mode';
++
+ use PAR::SetupProgname;
+
+ =head1 NAME
+@@ -42,8 +44,9 @@
+ }
+
+ my $stmpdir = _get_par_user_tempdir();
++die unable to create cache directory unless $stmpdir;
++
+ require File::Spec;
+-if (defined $stmpdir) { # it'd be quite bad if this was not the case
+ if (!$ENV{PAR_CLEAN} and my $mtime =
(stat($PAR::SetupProgname::Progname))[9]) {
+ my $ctx = _get_digester();
+
+@@ -71,8 +74,7 @@
+ }
+
+ $ENV{PAR_TEMP} = $stmpdir;
+- mkdir $stmpdir, 0755;
+-} # end if found a temp dir
++mkdir $stmpdir, 0700;
+
+ $PARTemp = $1 if defined $ENV{PAR_TEMP} and $ENV{PAR_TEMP} =~ /(.+)/;
+ }
+@@ -98,8 +100,25 @@
+ next unless defined $path and -d $path and -w $path;
+ $temp_path = File::Spec-catdir($path, par-$username);
+ ($temp_path) = $temp_path =~ /^(.*)$/s;
+-mkdir $temp_path, 0755;
++unless (mkdir($temp_path, 0700) || $!{EEXIST}) {
++ warn creation of private subdirectory $temp_path failed (errno=$!);
++ return;
++}
+
++unless ($^O eq 'MSWin32') {
++my @st;
++unless (@st = lstat($temp_path)) {
++ warn stat of private subdirectory $temp_path failed (errno=$!);
++ return;
++}
++if (!S_ISDIR($st[2])
++|| $st[4] != $
++|| ($st[2] 0777) != 0700 ) {
++ warn private subdirectory $temp_path is unsafe;
++ return;
++}
++}
++
+ last;
+ }
+ return $temp_path;
+
+
+Index: lib/PAR/SetupTemp.pm
+===
+--- lib/PAR/SetupTemp.pm (revision 1315)
lib/PAR/SetupTemp.pm (revision 1316)
+@@ -114,7 +114,7 @@
+ if (!S_ISDIR($st[2])
+ || $st[4] != $
+ || ($st[2] 0777) != 0700 ) {
+- warn private subdirectory $temp_path is unsafe;
++ warn private subdirectory $temp_path is unsafe (please remove it
and retry your operation);
+ return;
+ }
+ }
diff --git a/perl-PAR.spec b/perl-PAR.spec
index 4b1d46f..f426506 100644
--- a/perl-PAR.spec
+++ b/perl-PAR.spec
@@ -1,11 +1,13 @@
Name: perl-PAR
Version:1.002
-Release:3%{?dist}
+Release:4%{?dist}
Summary:Perl Archive Toolkit
License:GPL+ or Artistic
Group: Development/Libraries
URL:http://search.cpan.org/dist/PAR/
Source0:
http://www.cpan.org/authors/id/S/SM/SMUELLER/PAR-%{version}.tar.gz
+# Fix CVE-2011-4114, bug #760132, included in upstream 1.004.
+Patch0: perl-PAR-1.002-CVE-2011-4114.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: perl(Archive::Zip) = 1
@@ -23,6 +25,7 @@ libraries from which Perl modules can be loaded.
%prep
%setup -q -n PAR-%{version}
+%patch0 -p0
%build
%{__perl} Makefile.PL INSTALLDIRS=vendor
@@ -39,7 +42,9 @@ find $RPM_BUILD_ROOT -depth -type d -exec rmdir {}
2/dev/null \;
%{_fixperms} $RPM_BUILD_ROOT/*
%check
+export TEMP=$(mktemp -d)
make test
+rm -rf $TEMP
%clean
rm -rf $RPM_BUILD_ROOT
@@ -51,6 +56,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man3/*
%changelog
+* Thu Dec 01 2011 Petr Pisar ppi...@redhat.com - 1.002-4
+- Fix CVE-2011-4114 (insecure temporary directory handling) (bug #760132)
+
* Tue Feb 08 2011 Fedora Release Engineering rel-...@lists.fedoraproject.org
- 1.002-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-PAR/f14] Fix CVE-2011-4114
commit e9c31e5fe012574693edcec484ad502c46db34a2
Author: Petr Písař ppi...@redhat.com
Date: Thu Dec 1 15:46:19 2011 +0100
Fix CVE-2011-4114
perl-PAR-1.002-CVE-2011-4114.patch | 89
perl-PAR.spec | 10 -
2 files changed, 98 insertions(+), 1 deletions(-)
---
diff --git a/perl-PAR-1.002-CVE-2011-4114.patch
b/perl-PAR-1.002-CVE-2011-4114.patch
new file mode 100644
index 000..4db8a94
--- /dev/null
+++ b/perl-PAR-1.002-CVE-2011-4114.patch
@@ -0,0 +1,89 @@
+Fix CVE-2011-4114
+
+From: r1305 | rschupp | 2011-11-28 17:39:44 +0100 (Po, 28 lis 2011) | 7 lines
+RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and
+predictable temporary directories
+- create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+- if it already exists, check that (and bail out if not)
+ - it's not a symlink
+ - it's mode 0700
+ - it's owned by USER
+
+Petr Pisar: Message wording adjustment from r1316 is included too.
+
+Index: lib/PAR/SetupTemp.pm
+===
+--- lib/PAR/SetupTemp.pm (revision 1304)
lib/PAR/SetupTemp.pm (revision 1305)
+@@ -5,6 +5,8 @@
+ use strict;
+ use warnings;
+
++use Fcntl ':mode';
++
+ use PAR::SetupProgname;
+
+ =head1 NAME
+@@ -42,8 +44,9 @@
+ }
+
+ my $stmpdir = _get_par_user_tempdir();
++die unable to create cache directory unless $stmpdir;
++
+ require File::Spec;
+-if (defined $stmpdir) { # it'd be quite bad if this was not the case
+ if (!$ENV{PAR_CLEAN} and my $mtime =
(stat($PAR::SetupProgname::Progname))[9]) {
+ my $ctx = _get_digester();
+
+@@ -71,8 +74,7 @@
+ }
+
+ $ENV{PAR_TEMP} = $stmpdir;
+- mkdir $stmpdir, 0755;
+-} # end if found a temp dir
++mkdir $stmpdir, 0700;
+
+ $PARTemp = $1 if defined $ENV{PAR_TEMP} and $ENV{PAR_TEMP} =~ /(.+)/;
+ }
+@@ -98,8 +100,25 @@
+ next unless defined $path and -d $path and -w $path;
+ $temp_path = File::Spec-catdir($path, par-$username);
+ ($temp_path) = $temp_path =~ /^(.*)$/s;
+-mkdir $temp_path, 0755;
++unless (mkdir($temp_path, 0700) || $!{EEXIST}) {
++ warn creation of private subdirectory $temp_path failed (errno=$!);
++ return;
++}
+
++unless ($^O eq 'MSWin32') {
++my @st;
++unless (@st = lstat($temp_path)) {
++ warn stat of private subdirectory $temp_path failed (errno=$!);
++ return;
++}
++if (!S_ISDIR($st[2])
++|| $st[4] != $
++|| ($st[2] 0777) != 0700 ) {
++ warn private subdirectory $temp_path is unsafe;
++ return;
++}
++}
++
+ last;
+ }
+ return $temp_path;
+
+
+Index: lib/PAR/SetupTemp.pm
+===
+--- lib/PAR/SetupTemp.pm (revision 1315)
lib/PAR/SetupTemp.pm (revision 1316)
+@@ -114,7 +114,7 @@
+ if (!S_ISDIR($st[2])
+ || $st[4] != $
+ || ($st[2] 0777) != 0700 ) {
+- warn private subdirectory $temp_path is unsafe;
++ warn private subdirectory $temp_path is unsafe (please remove it
and retry your operation);
+ return;
+ }
+ }
diff --git a/perl-PAR.spec b/perl-PAR.spec
index fa7d29d..9d42f87 100644
--- a/perl-PAR.spec
+++ b/perl-PAR.spec
@@ -1,11 +1,13 @@
Name: perl-PAR
Version:1.000
-Release:2%{?dist}
+Release:3%{?dist}
Summary:Perl Archive Toolkit
License:GPL+ or Artistic
Group: Development/Libraries
URL:http://search.cpan.org/dist/PAR/
Source0:
http://www.cpan.org/authors/id/S/SM/SMUELLER/PAR-%{version}.tar.gz
+# Fix CVE-2011-4114, bug #760132, included in upstream 1.004.
+Patch0: perl-PAR-1.002-CVE-2011-4114.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: perl(Archive::Zip) = 1
@@ -23,6 +25,7 @@ libraries from which Perl modules can be loaded.
%prep
%setup -q -n PAR-%{version}
+%patch0 -p0
%build
%{__perl} Makefile.PL INSTALLDIRS=vendor
@@ -39,7 +42,9 @@ find $RPM_BUILD_ROOT -depth -type d -exec rmdir {}
2/dev/null \;
%{_fixperms} $RPM_BUILD_ROOT/*
%check
+export TEMP=$(mktemp -d)
make test
+rm -rf $TEMP
%clean
rm -rf $RPM_BUILD_ROOT
@@ -51,6 +56,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man3/*
%changelog
+* Thu Dec 01 2011 Petr Pisar ppi...@redhat.com - 1.000-3
+- Fix CVE-2011-4114 (insecure temporary directory handling) (bug #760132)
+
* Tue Aug 24 2010 Adam Tkac atkac redhat com - 1.000-2
- rebuild
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[perl-PAR-Packer/f16] Fix CVE-2011-4114
commit caf5df098adb318c914803819bd550b6c2c17ab6
Author: Petr Písař ppi...@redhat.com
Date: Tue Dec 6 15:11:15 2011 +0100
Fix CVE-2011-4114
perl-PAR-Packer-1.010-CVE-2011-4114.patch | 84 +
perl-PAR-Packer.spec |8 +++-
2 files changed, 91 insertions(+), 1 deletions(-)
---
diff --git a/perl-PAR-Packer-1.010-CVE-2011-4114.patch
b/perl-PAR-Packer-1.010-CVE-2011-4114.patch
new file mode 100644
index 000..b951322
--- /dev/null
+++ b/perl-PAR-Packer-1.010-CVE-2011-4114.patch
@@ -0,0 +1,84 @@
+From 9aa3d40e0b24bbd3dfa5d51198ffc289fa901c9f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= ppi...@redhat.com
+Date: Tue, 6 Dec 2011 14:22:04 +0100
+Subject: [PATCH] Fix CVE-2011-4114 ported for 1.010.
+
+From: r1296 | rschupp | 2011-11-14 21:01:18 +0100 (Po, 14 lis 2011) | 11 lines
+
+myldr/mktmpdir.c:
+- (par_mktmpdir) CVE-2011-4114:
+ - create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+ - if it already exists, check that (and bail out if not)
+- it's not a symlink
+- it's mode 0700
+- it's owned by USER
+
+NOTE: PAR contains a copy of par_mktmpdir (in Perl); this
+must be fixed as well and we must require the fixed version.
+
+Adjusted error message from r1313 is included.
+---
+ myldr/mktmpdir.c | 38 +++---
+ 1 files changed, 35 insertions(+), 3 deletions(-)
+
+diff --git a/myldr/mktmpdir.c b/myldr/mktmpdir.c
+index 6699831..2293268 100644
+--- a/myldr/mktmpdir.c
b/myldr/mktmpdir.c
+@@ -161,10 +161,42 @@ char *par_mktmpdir ( char **argv ) {
+stmpdir2 is the top $TEMP/par-$USER, needed to build stmpdir. We
+need 2 buffers because snprintf() can't write to a buffer it's
+reading from. */
+-stmpdir = malloc( stmp_len );
+ stmpdir2 = malloc( stmp_len );
+ sprintf(stmpdir2, %s%s%s%s, tmpdir, dir_sep, subdirbuf_prefix,
username);
+-my_mkdir(stmpdir2, 0755);
++#ifdef WIN32
++_mkdir(stmpdir2); /* FIXME bail if error (other than EEXIST) */
++#else
++{
++struct stat st;
++
++if (mkdir(stmpdir2, 0700) == -1 errno != EEXIST) {
++fprintf(stderr, %s: creation of private subdirectory %s failed
(errno=%i)\n,
++argv[0], stmpdir2, errno);
++return NULL;
++}
++
++/* now check that:
++ * - stmpdir2 is a directory (and not a symlink)
++ * - stmpdir2 is owned by the user
++ * - stmpdir2 has mode 0700
++ */
++if (lstat(stmpdir2, st) == -1) {
++fprintf(stderr, %s: stat of private subdirectory %s failed
(errno=%i)\n,
++argv[0], stmpdir2, errno);
++return NULL;
++}
++
++if (!S_ISDIR(st.st_mode)
++|| st.st_uid != getuid()
++|| (st.st_mode 0777) != 0700 ) {
++fprintf(stderr, %s: private subdirectory %s is unsafe (please
remove it and retry your operation)\n,
++argv[0], stmpdir2);
++return NULL;
++}
++}
++#endif
++
++stmpdir = malloc( stmp_len );
+
+ /* Doesn't really work - XXX */
+ val = par_getenv( PATH );
+@@ -250,7 +282,7 @@ char *par_mktmpdir ( char **argv ) {
+a prior invocation crashed leaving garbage in a temp directory that
+might interfere. */
+
+-while (my_mkdir(stmpdir, 0755) == -1 errno == EEXIST) {
++while (my_mkdir(stmpdir, 0700) == -1 errno == EEXIST) {
+ sprintf(
+ stmpdir,
+ %s%stemp-%u-%u%s,
+--
+1.7.7.4
+
diff --git a/perl-PAR-Packer.spec b/perl-PAR-Packer.spec
index a3299c1..9d00be7 100644
--- a/perl-PAR-Packer.spec
+++ b/perl-PAR-Packer.spec
@@ -1,11 +1,13 @@
Name: perl-PAR-Packer
Version:1.010
-Release:2%{?dist}
+Release:3%{?dist}
Summary:PAR Packager
License:GPL+ or Artistic
Group: Development/Libraries
URL:http://search.cpan.org/dist/PAR-Packer/
Source0:
http://www.cpan.org/authors/id/R/RS/RSCHUPP/PAR-Packer-%{version}.tar.gz
+# Fix CVE-2011-4114, bug #753957, included in upstream 1.011.
+Patch0: perl-PAR-Packer-1.010-CVE-2011-4114.patch
BuildRequires: perl(Archive::Zip) = 1
BuildRequires: perl(Compress::Zlib) = 1.3
BuildRequires: perl(ExtUtils::MakeMaker)
@@ -24,6 +26,7 @@ stand-alone executables, perl scripts and PAR files.
%prep
%setup -q -n PAR-Packer-%{version}
+%patch0 -p1
%build
# DEBUG variable needed to disable stripping binary
@@ -58,6 +61,9 @@ export PAR_GLOBAL_TEMP=/var/tmp
%{_mandir}/man3/*
%changelog
+* Tue Dec 06 2011 Petr Pisar ppi...@redhat.com - 1.010-3
+- Fix CVE-2011-4114 (insecure temporary directory handling) (bug #753957)
+
* Tue Jul 19 2011 Petr Sabata con...@redhat.com - 1.010-2
- Perl mass rebuild
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
[Bug 753955] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753955 --- Comment #9 from Petr Pisar ppi...@redhat.com 2011-12-06 09:23:39 EST --- How to test: Create /tmp/par-$(USER) directory with 0777 mode (or owned by different user, or create an other user's symlink). Create a PAR archive from a perl script (pp --par SCRIPT). Test perl-PAR by running `perl -MPAR=./a.par SCRIPT'. Test perl-PAR-Packer by running `parl ./a.par'. For unknown reason, you might need perl-PAR-Packer to get running SCRIPT from ./a.par by -MPAR=. For unknown reason, old parl might not work because of perl version mismatch. (This becomes fixed after rebuilding old perl-PAR-Packer against current perl.) -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 760132] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all]
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=760132 --- Comment #4 from Fedora Update System upda...@fedoraproject.org 2011-12-06 10:03:22 EST --- perl-PAR-1.002-4.fc15,perl-PAR-Packer-1.008-4.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/perl-PAR-1.002-4.fc15,perl-PAR-Packer-1.008-4.fc15 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 760132] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all]
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=760132 --- Comment #3 from Fedora Update System upda...@fedoraproject.org 2011-12-06 10:01:15 EST --- perl-PAR-1.002-5.fc16,perl-PAR-Packer-1.010-3.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/perl-PAR-1.002-5.fc16,perl-PAR-Packer-1.010-3.fc16 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753957] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all]
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753957 --- Comment #2 from Fedora Update System upda...@fedoraproject.org 2011-12-06 10:01:22 EST --- perl-PAR-1.002-5.fc16,perl-PAR-Packer-1.010-3.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/perl-PAR-1.002-5.fc16,perl-PAR-Packer-1.010-3.fc16 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 760132] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all]
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=760132 --- Comment #5 from Fedora Update System upda...@fedoraproject.org 2011-12-06 10:04:01 EST --- perl-PAR-1.000-3.fc14,perl-PAR-Packer-1.005-4.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/perl-PAR-1.000-3.fc14,perl-PAR-Packer-1.005-4.fc14 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753957] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all]
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753957 --- Comment #4 from Fedora Update System upda...@fedoraproject.org 2011-12-06 10:04:06 EST --- perl-PAR-1.000-3.fc14,perl-PAR-Packer-1.005-4.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/perl-PAR-1.000-3.fc14,perl-PAR-Packer-1.005-4.fc14 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
[Bug 753957] CVE-2011-4114 perl-PAR-Packer: insecure temporary directory handling [fedora-all]
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. https://bugzilla.redhat.com/show_bug.cgi?id=753957 --- Comment #3 from Fedora Update System upda...@fedoraproject.org 2011-12-06 10:03:28 EST --- perl-PAR-1.002-4.fc15,perl-PAR-Packer-1.008-4.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/perl-PAR-1.002-4.fc15,perl-PAR-Packer-1.008-4.fc15 -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
Re: perl-Env-C: review and sponsor request
On 12/02/2011 04:34 PM, Jan Kasprzak wrote: Hello, Fedora Perl developers! I use both Perl and Fedora extensively at work, and I have decided that we should try to migrate from locally-compiled Perl to the Perl from Fedora. This includes building all the CPAN modules we depend on as RPMs. So far I have about 10 CPAN modules packaged and buildable in mock, and checked with rpmlint (no errors, some bogus spelling warnings). I want to contribute these packages to Fedora. In order to learn the whole packaging process, I have decided to start with one package, Env::C. The review request is here: https://bugzilla.redhat.com/show_bug.cgi?id=757156 The other packages I have are the following: Authen::DecHpwd Authen::PassPhrase Crypt::MySQL Crypt::UnixCrypt_XS Data::Entropy Data::Float Data::Integer DBD::ODBC IO::Socket::Multicast Scalar::String TeX::Encode I plan to create review requests for these packages after getting the first module (Env::C) to Fedora. Sincerely, -Jan Kasprzak Welcome to Perl packaging for Fedora. Paul (one of sponsors) was already looking at your review, but because of license it could take more time. Could you prepare something else from your list? It might be faster to get sponsored on other reviews if this got stalled. Best regards, Marcela Mašláňová BaseOS team Brno -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/perl-devel
Re: perl-Env-C: review and sponsor request
Marcela Mašláňová wrote:
: On 12/02/2011 04:34 PM, Jan Kasprzak wrote:
: Welcome to Perl packaging for Fedora.
:
: Paul (one of sponsors) was already looking at your review, but because
: of license it could take more time. Could you prepare something else
: from your list? It might be faster to get sponsored on other reviews if
: this got stalled.
Yes. I have uploaded all the .specs and src.rpms I have to
http://www.fi.muni.cz/~kas/tmp/fedora-packages/. I can submit a review
request for some of them (do you want to pick up one or two?).
There are two problems with the above packages:
1) the directory ownership of %perl_vendorarch, which cpanspec generates
differently than required by Packaging guidelines
(see https://bugzilla.redhat.com/show_bug.cgi?id=757156#c1 for
details). I will fix it tomorrow.
2) some of the packages from this batch depend on others (I think
Authen::Passphrase is the topmost one), so in order to built
them in mock, either a separate yum repository for these packages
has to be created, or they have to be installed into mock chroot
and mock --no-clean should be used.
I think perl-TeX-Encode and perl-IO-Socket-Multicast are standalone
packages.
Thanks,
-Yenya
--
| Jan Yenya Kasprzak kas at {fi.muni.cz - work | yenya.net - private} |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/Journal: http://www.fi.muni.cz/~kas/blog/ |
Please don't top post and in particular don't attach entire digests to your
mail or we'll all soon be using bittorrent to read the list. --Alan Cox
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
