2.85 bump
This commit is contained in:
Jitka Plesnikova
parent
0167350014
commit
087b23d034
1
.gitignore
vendored
1
.gitignore
vendored
@ -30,3 +30,4 @@
|
||||
/Encode-2.82.tar.gz
|
||||
/Encode-2.83.tar.gz
|
||||
/Encode-2.84.tar.gz
|
||||
/Encode-2.85.tar.gz
|
||||
|
||||
@ -1,97 +0,0 @@
|
||||
From 12be15d64ce089154c4367dc1842cd0dc0993ec6 Mon Sep 17 00:00:00 2001
|
||||
From: Tony Cook <tony@develop-help.com>
|
||||
Date: Wed, 27 Jul 2016 14:52:40 +1000
|
||||
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from .
|
||||
|
||||
The change to Encode.pm is the most critical part of this patch.
|
||||
|
||||
Without this change, and process that uses Encode started with a
|
||||
current directory that's world writable (such as /tmp) and if there's
|
||||
no global Encode::ConfigLocal, can be attacked by another user
|
||||
by creating /tmp/Encode/ConfigLocal.pm
|
||||
|
||||
It's possible most of the tools changed here do not need to be updated,
|
||||
but I chose a conservative path.
|
||||
---
|
||||
Encode.pm | 2 ++
|
||||
bin/enc2xs | 1 +
|
||||
bin/encguess | 1 +
|
||||
bin/piconv | 1 +
|
||||
bin/ucmlint | 1 +
|
||||
bin/unidump | 1 +
|
||||
6 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/Encode.pm b/Encode.pm
|
||||
index d88fe95..3923733 100644
|
||||
--- a/Encode.pm
|
||||
+++ b/Encode.pm
|
||||
@@ -56,6 +56,8 @@ require Encode::Config;
|
||||
eval {
|
||||
local $SIG{__DIE__};
|
||||
local $SIG{__WARN__};
|
||||
+ local @INC = @INC;
|
||||
+ pop @INC if $INC[-1] eq '.';
|
||||
require Encode::ConfigLocal;
|
||||
};
|
||||
|
||||
diff --git a/bin/enc2xs b/bin/enc2xs
|
||||
index ec4732c..f8d9f52 100755
|
||||
--- a/bin/enc2xs
|
||||
+++ b/bin/enc2xs
|
||||
@@ -4,6 +4,7 @@ BEGIN {
|
||||
# with $ENV{PERL_CORE} set
|
||||
# In case we need it in future...
|
||||
require Config; import Config;
|
||||
+ pop @INC if $INC[-1] eq '.';
|
||||
}
|
||||
use strict;
|
||||
use warnings;
|
||||
diff --git a/bin/encguess b/bin/encguess
|
||||
index 5d7ac80..0be5c7c 100755
|
||||
--- a/bin/encguess
|
||||
+++ b/bin/encguess
|
||||
@@ -1,5 +1,6 @@
|
||||
#!./perl
|
||||
use 5.008001;
|
||||
+BEGIN { pop @INC if $INC[-1] eq '.' }
|
||||
use strict;
|
||||
use warnings;
|
||||
use Encode;
|
||||
diff --git a/bin/piconv b/bin/piconv
|
||||
index c1dad9e..60b2a59 100755
|
||||
--- a/bin/piconv
|
||||
+++ b/bin/piconv
|
||||
@@ -1,6 +1,7 @@
|
||||
#!./perl
|
||||
# $Id: piconv,v 2.7 2014/05/31 09:48:48 dankogai Exp $
|
||||
#
|
||||
+BEGIN { pop @INC if $INC[-1] eq '.' }
|
||||
use 5.8.0;
|
||||
use strict;
|
||||
use Encode ;
|
||||
diff --git a/bin/ucmlint b/bin/ucmlint
|
||||
index 622376d..25e0d67 100644
|
||||
--- a/bin/ucmlint
|
||||
+++ b/bin/ucmlint
|
||||
@@ -3,6 +3,7 @@
|
||||
# $Id: ucmlint,v 2.2 2008/03/12 09:51:11 dankogai Exp $
|
||||
#
|
||||
|
||||
+BEGIN { pop @INC if $INC[-1] eq '.' }
|
||||
use strict;
|
||||
our $VERSION = do { my @r = (q$Revision: 2.2 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r };
|
||||
|
||||
diff --git a/bin/unidump b/bin/unidump
|
||||
index ae0da30..f190827 100755
|
||||
--- a/bin/unidump
|
||||
+++ b/bin/unidump
|
||||
@@ -1,5 +1,6 @@
|
||||
#!./perl
|
||||
|
||||
+BEGIN { pop @INC if $INC[-1] eq '.' }
|
||||
use strict;
|
||||
use Encode;
|
||||
use Getopt::Std;
|
||||
--
|
||||
2.1.4
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
# Because encoding sub-package has independent version, version macro gets
|
||||
# redefined.
|
||||
%global cpan_version 2.84
|
||||
%global cpan_version 2.85
|
||||
Name: perl-Encode
|
||||
Epoch: 4
|
||||
Version: %{cpan_version}
|
||||
@ -8,7 +8,7 @@ Version: %{cpan_version}
|
||||
# perl-encoding sub-package has independent version which does not change
|
||||
# often and consecutive builds would clash on perl-encoding NEVRA. This is the
|
||||
# same case as in perl.spec.
|
||||
Release: 11%{?dist}
|
||||
Release: 1%{?dist}
|
||||
Summary: Character encodings in Perl
|
||||
# ucm: UCD
|
||||
# other files: GPL+ or Artistic
|
||||
@ -16,8 +16,6 @@ License: (GPL+ or Artistic) and UCD
|
||||
Group: Development/Libraries
|
||||
URL: http://search.cpan.org/dist/Encode/
|
||||
Source0: http://www.cpan.org/authors/id/D/DA/DANKOGAI/Encode-%{cpan_version}.tar.gz
|
||||
#Avoid loading optional modules from default . (CVE-2016-1238)
|
||||
Patch0: Encode-2.84-CVE-2016-1238-avoid-loading-optional-modules-from.patch
|
||||
BuildRequires: coreutils
|
||||
BuildRequires: findutils
|
||||
BuildRequires: make
|
||||
@ -65,7 +63,6 @@ BuildRequires: perl(IPC::Open3)
|
||||
BuildRequires: perl(lib)
|
||||
BuildRequires: perl(Scalar::Util)
|
||||
BuildRequires: perl(Symbol)
|
||||
BuildRequires: perl(Test)
|
||||
BuildRequires: perl(Test::More)
|
||||
BuildRequires: perl(Tie::Scalar)
|
||||
Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
|
||||
@ -128,7 +125,6 @@ your own encoding to perl. No knowledge of XS is necessary.
|
||||
|
||||
%prep
|
||||
%setup -q -n Encode-%{cpan_version}
|
||||
%patch0 -p1
|
||||
|
||||
%build
|
||||
# Additional scripts can be installed by appending MORE_SCRIPTS, UCM files by
|
||||
@ -170,6 +166,9 @@ make test
|
||||
%{perl_vendorarch}/Encode/encode.h
|
||||
|
||||
%changelog
|
||||
* Tue Aug 09 2016 Jitka Plesnikova <jplesnik@redhat.com> - 4:2.85-1
|
||||
- 2.85 bump
|
||||
|
||||
* Tue Aug 02 2016 Jitka Plesnikova <jplesnik@redhat.com> - 4:2.84-11
|
||||
- Avoid loading optional modules from default . (CVE-2016-1238)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user