From fdc51149e57fcabf59e1ad3da5e295862a6b3cbe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
Date: Mon, 9 Jan 2017 16:11:31 +0100
Subject: Use Perl porter's fix for searching cpan -j file
---
CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch | 40 -----------------
...For-cpan-j-make-the-file-an-absolute-path.patch | 52 ++++++++++++++++++++++
perl-CPAN.spec | 10 +++--
3 files changed, 59 insertions(+), 43 deletions(-)
delete mode 100644 CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch
create mode 100644 CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch
diff --git a/CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch
b/CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch
deleted file mode 100644
index ce6501b..0000000
--- a/CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 2630498e13ce17ef601f532e4ecec5c0489c72b5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com>
-Date: Tue, 18 Oct 2016 17:59:58 +0200
-Subject: [PATCH] Do not search cpan -j file in @INC
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-After removing "." from @INC (CVE-2016-1238), loading explictly
-specified configuration file with cpan -j using relative path failed.
-This is because relative paths are subject to @INC search within the
-"require" function.
-
-Because cpan already checks the file exists before loading it, it's
-clear the intention is to load only that file (relative to current
-working directory).
-
-Therefore this patch turnes the configuration file name into into
-absolute path before loading it by "require" function.
-
-Signed-off-by: Petr Písař <ppi...@redhat.com>
----
- lib/App/Cpan.pm | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
-index c654c2c..0f42913 100644
---- a/lib/App/Cpan.pm
-+++ b/lib/App/Cpan.pm
-@@ -1100,6 +1100,7 @@ sub _load_config # -j
- delete $INC{'CPAN/Config.pm'};
- croak( "Config file [$file] does not exist!\n" ) unless -e $file;
-
-+ $file = File::Spec->rel2abs($file);
- my $rc = eval "require '$file'";
-
- # CPAN::HandleConfig::require_myconfig_or_config looks for this
---
-2.7.4
-
diff --git a/CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch
b/CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch
new file mode 100644
index 0000000..c8fc0ee
--- /dev/null
+++ b/CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch
@@ -0,0 +1,52 @@
+From 8b3473d00f9490f8ee07425ef44b23c6f72a8938 Mon Sep 17 00:00:00 2001
+From: brian d foy <brian.d....@gmail.com>
+Date: Tue, 18 Oct 2016 16:02:51 -0400
+Subject: [PATCH] For cpan -j, make the file an absolute path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is an additional fix for rt.cpan.org #116507.
+Since . will not be in @INC, we can't assume we are
+loading from the current directory (although that's
+a very likely situation for -j). Take whatever
+argument we get and expand it to an absolute path.
+
+Signed-off-by: Petr Písař <ppi...@redhat.com>
+---
+ lib/App/Cpan.pm | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
+index 6561bd4..a9e73cd 100644
+--- a/lib/App/Cpan.pm
++++ b/lib/App/Cpan.pm
+@@ -291,7 +291,7 @@ use CPAN 1.80 (); # needs no test
+ use Config;
+ use autouse Cwd => qw(cwd);
+ use autouse 'Data::Dumper' => qw(Dumper);
+-use File::Spec::Functions;
++use File::Spec::Functions qw(catfile file_name_is_absolute rel2abs);
+ use File::Basename;
+ use Getopt::Std;
+
+@@ -1095,12 +1095,14 @@ sub _shell
+
+ sub _load_config # -j
+ {
+- my $file = shift || '';
++ my $argument = shift;
++
++ my $file = file_name_is_absolute( $argument ) ? $argument : rel2abs(
$argument );
++ croak( "cpan config file [$file] for -j does not exist!\n" ) unless -e
$file;
+
+ # should I clear out any existing config here?
+ $CPAN::Config = {};
+ delete $INC{'CPAN/Config.pm'};
+- croak( "Config file [$file] does not exist!\n" ) unless -e $file;
+
+ my $rc = eval "require '$file'";
+
+--
+2.7.4
+
diff --git a/perl-CPAN.spec b/perl-CPAN.spec
index 701a0a4..89e154d 100644
--- a/perl-CPAN.spec
+++ b/perl-CPAN.spec
@@ -1,6 +1,6 @@
Name: perl-CPAN
Version: 2.14
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Query, download and build perl modules from CPAN sites
License: GPL+ or Artistic
Group: Development/Libraries
@@ -29,8 +29,9 @@ Patch8:
CPAN-2.14-accepts_module-must-be-protected-with-an-eval.patch
# Fix CVE-2016-1238 completely, CPAN RT#116507
Patch9: CPAN-2.14-Fix-CVE-2016-1238-completely.patch
# Do not search cpan -j file in @INC, required for
-# Fix-CVE-2016-1238-completely.patch, CPAN RT#116507
-Patch10: CPAN-2.14-Do-not-search-cpan-j-file-in-INC.patch
+# Fix-CVE-2016-1238-completely.patch, CPAN RT#116507, proposed in
+# <https://github.com/andk/cpanpm/pull/105>
+Patch10: CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch
BuildArch: noarch
BuildRequires: coreutils
BuildRequires: findutils
@@ -243,6 +244,9 @@ make test
%{_mandir}/man3/*
%changelog
+* Mon Jan 09 2017 Petr Pisar <ppi...@redhat.com> - 2.14-4
+- Use Perl porter's fix for searching cpan -j file (CPAN RT#116507)
+
* Tue Oct 18 2016 Petr Pisar <ppi...@redhat.com> - 2.14-3
- Apply remains of CVE-2016-1238 fix from perl (CPAN RT#116507)
- Do not search cpan -j file in @INC (CPAN RT#116507)
--
cgit v0.12
http://pkgs.fedoraproject.org/cgit/perl-CPAN.git/commit/?h=master&id=fdc51149e57fcabf59e1ad3da5e295862a6b3cbe
_______________________________________________
perl-devel mailing list -- perl-devel@lists.fedoraproject.org
To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org
