diff --git a/RHEL-180415.patch b/RHEL-180415.patch new file mode 100644 index 0000000..a3d2efc --- /dev/null +++ b/RHEL-180415.patch @@ -0,0 +1,164 @@ +From 2066c1edc2f5b4cf97a1b66536d552fa225b4aaa Mon Sep 17 00:00:00 2001 +From: pmqs +Date: Sat, 16 May 2026 17:48:34 +0100 +Subject: [PATCH] remove use of eval in globmapper. #73 + +--- + lib/File/GlobMapper.pm | 52 ++++++++++++++++++++++++++++++++++-------- + t/globmapper.t | 52 +++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 94 insertions(+), 10 deletions(-) + +diff --git a/lib/File/GlobMapper.pm b/lib/File/GlobMapper.pm +index 53f957a..6454bc4 100644 +--- a/lib/File/GlobMapper.pm ++++ b/lib/File/GlobMapper.pm +@@ -29,6 +29,11 @@ our ($VERSION, @EXPORT_OK); + $VERSION = '1.001'; + @EXPORT_OK = qw( globmap ); + ++our $BEGIN_DELIM = "\xFF"; ++our $END_DELIM = "\xFE"; ++our $BACKSLASH_ESC = "\xFD"; ++our $HASH_ESC = "\xFC"; ++our $STAR_ESC = "\xFB"; + + our ($noPreBS, $metachars, $matchMetaRE, %mapping, %wildCount); + $noPreBS = '(?{InputPattern}'\n"; ++ # print "OUTPUT '$self->{OutputGlob}' => '$string'\n"; + +- #print "OUTPUT '$self->{OutputGlob}' => '$string'\n"; + $self->{OutputPattern} = $string ; + + return 1 ; +@@ -335,11 +349,31 @@ sub _getFiles + next if $inFiles{$inFile} ++ ; + + my $outFile = $inFile ; ++ my @matches ; ++ ++ my $noPreESC = '(?{InputPattern}/ ) ++ if (@matches = ($inFile =~ m/$self->{InputPattern}/ )) + { +- no warnings 'uninitialized'; +- eval "\$outFile = $self->{OutputPattern};" ; ++ $outFile = $self->{OutputPattern}; ++ my $ix = 1; ++ ++ # get the filename glob ++ $outFile =~ s/${noPreESC}${BEGIN_DELIM}${END_DELIM}/$inFile/g; ++ ++ # now each of the #1, #2,... ++ for my $pattern (@matches) ++ { ++ $outFile =~ s/${noPreESC}${BEGIN_DELIM}${ix}${END_DELIM}/$pattern/g; ++ ++ ++ $ix; ++ } ++ ++ # unescape ++ $outFile =~ s/${BEGIN_DELIM}${BEGIN_DELIM}/${BEGIN_DELIM}/g; ++ $outFile =~ s/${END_DELIM}${END_DELIM}/${END_DELIM}/g; ++ $outFile =~ s/${HASH_ESC}/#/g; ++ $outFile =~ s/${STAR_ESC}/*/g; + + if (defined $outInMapping{$outFile}) + { +diff --git a/t/globmapper.t b/t/globmapper.t +index 75fa768..842562f 100644 +--- a/t/globmapper.t ++++ b/t/globmapper.t +@@ -24,7 +24,7 @@ Perl $]" ) + $extra = 1 + if eval { require Test::NoWarnings ; Test::NoWarnings->import; 1 }; + +- plan tests => 68 + $extra ; ++ plan tests => 76 + $extra ; + + use_ok('File::GlobMapper') ; + } +@@ -290,6 +290,56 @@ Perl $]" ) + ], " got mapping"; + } + ++{ ++ title "check escaping"; ++ ++ my $tmpDir ;#= 'td'; ++ my $lex = LexDir->new( $tmpDir ); ++ ++ my $BEGIN_DELIM = "\xFF"; ++ my $END_DELIM = "\xFE"; ++ ++ #mkdir $tmpDir, 0777 ; ++ ++ touch map { "$tmpDir/$_.tmp" } qw( abc1 abc2 abc3 ) ; ++ ++ my $map = File::GlobMapper::globmap("$tmpDir/*b*.tmp", "$tmpDir/X-${BEGIN_DELIM}#2-#1${END_DELIM}-X"); ++ ok $map, " got map" ++ or diag $File::GlobMapper::Error ; ++ ++ is @{ $map }, 3, " returned 3 maps"; ++ is_deeply $map, ++ [ [map { "$tmpDir/$_" } ("abc1.tmp", "X-${BEGIN_DELIM}c1-a${END_DELIM}-X")], ++ [map { "$tmpDir/$_" } ("abc2.tmp", "X-${BEGIN_DELIM}c2-a${END_DELIM}-X")], ++ [map { "$tmpDir/$_" } ("abc3.tmp", "X-${BEGIN_DELIM}c3-a${END_DELIM}-X")], ++ ], " got mapping"; ++} ++ ++{ ++ title "check backslash escaping"; ++ ++ my $tmpDir ;#= 'td'; ++ my $lex = LexDir->new( $tmpDir ); ++ ++ my $BEGIN_DELIM = "\xFF"; ++ my $END_DELIM = "\xFE"; ++ ++ #mkdir $tmpDir, 0777 ; ++ ++ touch map { "$tmpDir/$_.tmp" } qw( abc1 abc2 abc3 ) ; ++ ++ my $map = File::GlobMapper::globmap("$tmpDir/*b*.tmp", $tmpDir . '/X-#2-\\#1\\*-X'); ++ ok $map, " got map" ++ or diag $File::GlobMapper::Error ; ++ ++ is @{ $map }, 3, " returned 3 maps"; ++ is_deeply $map, ++ [ [map { "$tmpDir/$_" } ("abc1.tmp", "X-c1-#1*-X")], ++ [map { "$tmpDir/$_" } ("abc2.tmp", "X-c2-#1*-X")], ++ [map { "$tmpDir/$_" } ("abc3.tmp", "X-c3-#1*-X")], ++ ], " got mapping"; ++} ++ + # TODO + # test each of the wildcard metacharacters can be mapped to the output filename + # +-- +2.52.0 + diff --git a/perl-IO-Compress.spec b/perl-IO-Compress.spec index e3a0257..a5dac48 100644 --- a/perl-IO-Compress.spec +++ b/perl-IO-Compress.spec @@ -14,11 +14,13 @@ Name: perl-IO-Compress Version: 2.212 -Release: 512%{?dist} +Release: 512%{?dist}.1 Summary: Read and write compressed data License: GPL-1.0-or-later OR Artistic-1.0-Perl URL: https://metacpan.org/release/IO-Compress Source0: https://cpan.metacpan.org/modules/by-module/IO/IO-Compress-%{version}.tar.gz +# https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610 +Patch0: RHEL-180415.patch BuildArch: noarch # Module Build BuildRequires: coreutils @@ -116,6 +118,7 @@ with "%{_libexecdir}/%{name}/test". %prep %setup -q -n IO-Compress-%{version} +%patch -P0 -p1 # Remove spurious exec permissions chmod -c -x lib/IO/Uncompress/{Adapter/Identity,RawInflate}.pm @@ -209,6 +212,10 @@ make test COMPRESS_ZLIB_RUN_%{?with_long_tests:ALL}%{!?with_long_tests:MOST}=1 %{_libexecdir}/%{name} %changelog +* Wed Jun 03 2026 RHEL Packaging Agent - 2.212-512.1 +- Fix CVE-2026-48962: remove use of eval in File::GlobMapper +- Resolves: RHEL-180415 + * Tue Oct 29 2024 Troy Dawson - 2.212-512 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018