From a1200def13509c48d0e1a0901214306f5d4dec60 Mon Sep 17 00:00:00 2001
From: Jitka Plesnikova <jples...@redhat.com>
Date: Tue, 9 Aug 2016 14:11:52 +0200
Subject: 2.85 bump
---
.gitignore | 1 +
...-1238-avoid-loading-optional-modules-from.patch | 97 ----------------------
perl-Encode.spec | 11 ++-
sources | 2 +-
4 files changed, 7 insertions(+), 104 deletions(-)
delete mode 100644
Encode-2.84-CVE-2016-1238-avoid-loading-optional-modules-from.patch
diff --git a/.gitignore b/.gitignore
index cf93d9e..a093ed0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -30,3 +30,4 @@
/Encode-2.82.tar.gz
/Encode-2.83.tar.gz
/Encode-2.84.tar.gz
+/Encode-2.85.tar.gz
diff --git
a/Encode-2.84-CVE-2016-1238-avoid-loading-optional-modules-from.patch
b/Encode-2.84-CVE-2016-1238-avoid-loading-optional-modules-from.patch
deleted file mode 100644
index fcf74de..0000000
--- a/Encode-2.84-CVE-2016-1238-avoid-loading-optional-modules-from.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 12be15d64ce089154c4367dc1842cd0dc0993ec6 Mon Sep 17 00:00:00 2001
-From: Tony Cook <t...@develop-help.com>
-Date: Wed, 27 Jul 2016 14:52:40 +1000
-Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from .
-
-The change to Encode.pm is the most critical part of this patch.
-
-Without this change, and process that uses Encode started with a
-current directory that's world writable (such as /tmp) and if there's
-no global Encode::ConfigLocal, can be attacked by another user
-by creating /tmp/Encode/ConfigLocal.pm
-
-It's possible most of the tools changed here do not need to be updated,
-but I chose a conservative path.
----
- Encode.pm | 2 ++
- bin/enc2xs | 1 +
- bin/encguess | 1 +
- bin/piconv | 1 +
- bin/ucmlint | 1 +
- bin/unidump | 1 +
- 6 files changed, 7 insertions(+)
-
-diff --git a/Encode.pm b/Encode.pm
-index d88fe95..3923733 100644
---- a/Encode.pm
-+++ b/Encode.pm
-@@ -56,6 +56,8 @@ require Encode::Config;
- eval {
- local $SIG{__DIE__};
- local $SIG{__WARN__};
-+ local @INC = @INC;
-+ pop @INC if $INC[-1] eq '.';
- require Encode::ConfigLocal;
- };
-
-diff --git a/bin/enc2xs b/bin/enc2xs
-index ec4732c..f8d9f52 100755
---- a/bin/enc2xs
-+++ b/bin/enc2xs
-@@ -4,6 +4,7 @@ BEGIN {
- # with $ENV{PERL_CORE} set
- # In case we need it in future...
- require Config; import Config;
-+ pop @INC if $INC[-1] eq '.';
- }
- use strict;
- use warnings;
-diff --git a/bin/encguess b/bin/encguess
-index 5d7ac80..0be5c7c 100755
---- a/bin/encguess
-+++ b/bin/encguess
-@@ -1,5 +1,6 @@
- #!./perl
- use 5.008001;
-+BEGIN { pop @INC if $INC[-1] eq '.' }
- use strict;
- use warnings;
- use Encode;
-diff --git a/bin/piconv b/bin/piconv
-index c1dad9e..60b2a59 100755
---- a/bin/piconv
-+++ b/bin/piconv
-@@ -1,6 +1,7 @@
- #!./perl
- # $Id: piconv,v 2.7 2014/05/31 09:48:48 dankogai Exp $
- #
-+BEGIN { pop @INC if $INC[-1] eq '.' }
- use 5.8.0;
- use strict;
- use Encode ;
-diff --git a/bin/ucmlint b/bin/ucmlint
-index 622376d..25e0d67 100644
---- a/bin/ucmlint
-+++ b/bin/ucmlint
-@@ -3,6 +3,7 @@
- # $Id: ucmlint,v 2.2 2008/03/12 09:51:11 dankogai Exp $
- #
-
-+BEGIN { pop @INC if $INC[-1] eq '.' }
- use strict;
- our $VERSION = do { my @r = (q$Revision: 2.2 $ =~ /\d+/g); sprintf
"%d."."%02d" x $#r, @r };
-
-diff --git a/bin/unidump b/bin/unidump
-index ae0da30..f190827 100755
---- a/bin/unidump
-+++ b/bin/unidump
-@@ -1,5 +1,6 @@
- #!./perl
-
-+BEGIN { pop @INC if $INC[-1] eq '.' }
- use strict;
- use Encode;
- use Getopt::Std;
---
-2.1.4
-
diff --git a/perl-Encode.spec b/perl-Encode.spec
index 60697b5..4925929 100644
--- a/perl-Encode.spec
+++ b/perl-Encode.spec
@@ -1,6 +1,6 @@
# Because encoding sub-package has independent version, version macro gets
# redefined.
-%global cpan_version 2.84
+%global cpan_version 2.85
Name: perl-Encode
Epoch: 4
Version: %{cpan_version}
@@ -8,7 +8,7 @@ Version: %{cpan_version}
# perl-encoding sub-package has independent version which does not change
# often and consecutive builds would clash on perl-encoding NEVRA. This is the
# same case as in perl.spec.
-Release: 11%{?dist}
+Release: 1%{?dist}
Summary: Character encodings in Perl
# ucm: UCD
# other files: GPL+ or Artistic
@@ -16,8 +16,6 @@ License: (GPL+ or Artistic) and UCD
Group: Development/Libraries
URL: http://search.cpan.org/dist/Encode/
Source0:
http://www.cpan.org/authors/id/D/DA/DANKOGAI/Encode-%{cpan_version}.tar.gz
-#Avoid loading optional modules from default . (CVE-2016-1238)
-Patch0:
Encode-2.84-CVE-2016-1238-avoid-loading-optional-modules-from.patch
BuildRequires: coreutils
BuildRequires: findutils
BuildRequires: make
@@ -65,7 +63,6 @@ BuildRequires: perl(IPC::Open3)
BuildRequires: perl(lib)
BuildRequires: perl(Scalar::Util)
BuildRequires: perl(Symbol)
-BuildRequires: perl(Test)
BuildRequires: perl(Test::More)
BuildRequires: perl(Tie::Scalar)
Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
@@ -128,7 +125,6 @@ your own encoding to perl. No knowledge of XS is necessary.
%prep
%setup -q -n Encode-%{cpan_version}
-%patch0 -p1
%build
# Additional scripts can be installed by appending MORE_SCRIPTS, UCM files by
@@ -170,6 +166,9 @@ make test
%{perl_vendorarch}/Encode/encode.h
%changelog
+* Tue Aug 09 2016 Jitka Plesnikova <jples...@redhat.com> - 4:2.85-1
+- 2.85 bump
+
* Tue Aug 02 2016 Jitka Plesnikova <jples...@redhat.com> - 4:2.84-11
- Avoid loading optional modules from default . (CVE-2016-1238)
diff --git a/sources b/sources
index a6c9baf..8ed254e 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-db7bc38b6d9da3f9d8ad2b6107bd5e0a Encode-2.84.tar.gz
+db2e1a291bc856ae1b37c0edaf8dd07f Encode-2.85.tar.gz
--
cgit v0.12
http://pkgs.fedoraproject.org/cgit/perl-Encode.git/commit/?h=f25&id=a1200def13509c48d0e1a0901214306f5d4dec60
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/perl-devel@lists.fedoraproject.org
