From fdc51149e57fcabf59e1ad3da5e295862a6b3cbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> Date: Mon, 9 Jan 2017 16:11:31 +0100 Subject: Use Perl porter's fix for searching cpan -j file
--- CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch | 40 ----------------- ...For-cpan-j-make-the-file-an-absolute-path.patch | 52 ++++++++++++++++++++++ perl-CPAN.spec | 10 +++-- 3 files changed, 59 insertions(+), 43 deletions(-) delete mode 100644 CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch create mode 100644 CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch diff --git a/CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch b/CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch deleted file mode 100644 index ce6501b..0000000 --- a/CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 2630498e13ce17ef601f532e4ecec5c0489c72b5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> -Date: Tue, 18 Oct 2016 17:59:58 +0200 -Subject: [PATCH] Do not search cpan -j file in @INC -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -After removing "." from @INC (CVE-2016-1238), loading explictly -specified configuration file with cpan -j using relative path failed. -This is because relative paths are subject to @INC search within the -"require" function. - -Because cpan already checks the file exists before loading it, it's -clear the intention is to load only that file (relative to current -working directory). - -Therefore this patch turnes the configuration file name into into -absolute path before loading it by "require" function. - -Signed-off-by: Petr Písař <ppi...@redhat.com> ---- - lib/App/Cpan.pm | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm -index c654c2c..0f42913 100644 ---- a/lib/App/Cpan.pm -+++ b/lib/App/Cpan.pm -@@ -1100,6 +1100,7 @@ sub _load_config # -j - delete $INC{'CPAN/Config.pm'}; - croak( "Config file [$file] does not exist!\n" ) unless -e $file; - -+ $file = File::Spec->rel2abs($file); - my $rc = eval "require '$file'"; - - # CPAN::HandleConfig::require_myconfig_or_config looks for this --- -2.7.4 - diff --git a/CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch b/CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch new file mode 100644 index 0000000..c8fc0ee --- /dev/null +++ b/CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch @@ -0,0 +1,52 @@ +From 8b3473d00f9490f8ee07425ef44b23c6f72a8938 Mon Sep 17 00:00:00 2001 +From: brian d foy <brian.d....@gmail.com> +Date: Tue, 18 Oct 2016 16:02:51 -0400 +Subject: [PATCH] For cpan -j, make the file an absolute path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is an additional fix for rt.cpan.org #116507. +Since . will not be in @INC, we can't assume we are +loading from the current directory (although that's +a very likely situation for -j). Take whatever +argument we get and expand it to an absolute path. + +Signed-off-by: Petr Písař <ppi...@redhat.com> +--- + lib/App/Cpan.pm | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm +index 6561bd4..a9e73cd 100644 +--- a/lib/App/Cpan.pm ++++ b/lib/App/Cpan.pm +@@ -291,7 +291,7 @@ use CPAN 1.80 (); # needs no test + use Config; + use autouse Cwd => qw(cwd); + use autouse 'Data::Dumper' => qw(Dumper); +-use File::Spec::Functions; ++use File::Spec::Functions qw(catfile file_name_is_absolute rel2abs); + use File::Basename; + use Getopt::Std; + +@@ -1095,12 +1095,14 @@ sub _shell + + sub _load_config # -j + { +- my $file = shift || ''; ++ my $argument = shift; ++ ++ my $file = file_name_is_absolute( $argument ) ? $argument : rel2abs( $argument ); ++ croak( "cpan config file [$file] for -j does not exist!\n" ) unless -e $file; + + # should I clear out any existing config here? + $CPAN::Config = {}; + delete $INC{'CPAN/Config.pm'}; +- croak( "Config file [$file] does not exist!\n" ) unless -e $file; + + my $rc = eval "require '$file'"; + +-- +2.7.4 + diff --git a/perl-CPAN.spec b/perl-CPAN.spec index 701a0a4..89e154d 100644 --- a/perl-CPAN.spec +++ b/perl-CPAN.spec @@ -1,6 +1,6 @@ Name: perl-CPAN Version: 2.14 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Query, download and build perl modules from CPAN sites License: GPL+ or Artistic Group: Development/Libraries @@ -29,8 +29,9 @@ Patch8: CPAN-2.14-accepts_module-must-be-protected-with-an-eval.patch # Fix CVE-2016-1238 completely, CPAN RT#116507 Patch9: CPAN-2.14-Fix-CVE-2016-1238-completely.patch # Do not search cpan -j file in @INC, required for -# Fix-CVE-2016-1238-completely.patch, CPAN RT#116507 -Patch10: CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch +# Fix-CVE-2016-1238-completely.patch, CPAN RT#116507, proposed in +# <https://github.com/andk/cpanpm/pull/105> +Patch10: CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch BuildArch: noarch BuildRequires: coreutils BuildRequires: findutils @@ -243,6 +244,9 @@ make test %{_mandir}/man3/* %changelog +* Mon Jan 09 2017 Petr Pisar <ppi...@redhat.com> - 2.14-4 +- Use Perl porter's fix for searching cpan -j file (CPAN RT#116507) + * Tue Oct 18 2016 Petr Pisar <ppi...@redhat.com> - 2.14-3 - Apply remains of CVE-2016-1238 fix from perl (CPAN RT#116507) - Do not search cpan -j file in @INC (CPAN RT#116507) -- cgit v0.12 http://pkgs.fedoraproject.org/cgit/perl-CPAN.git/commit/?h=master&id=fdc51149e57fcabf59e1ad3da5e295862a6b3cbe _______________________________________________ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org