Update to 2.93
- New upstream release 2.93
- Changed the number detection logic (experimental)
- Correct 0 handling (GH#23)
- Removed base.pm dependency (GH#5)
- Fixed wrong character offset (CPAN RT#116998)
- Address VAX issues (CPAN RT#118469)
- Various documentation fixes
- Remove . in @INC in json_pp (GH#25, CVE-2016-1238)
- Removed $VAR1 from json_pp output (GH#11)
- Fixed an issue to ignore trailing 0 (GH#29)
- Added Scalar::Util dependency for Perl 5.8+ (CPAN RT#84347)
- Fixed issues spotted by Nicolas Seriot's JSON Test Suite including
experimental UTF-16/32 support and backward incompatible change of
C style comment handling (now disabled by default) (GH#28)
- Moved the guts of JSON::PP::Boolean into lib/JSON/PP/Boolean.pm and gave
it a proper version
- Refactored incremental parser to let it handle incomplete JSON text
properly
- Imported and tweaked tests from JSON.pm
- Minor code clean up
- Fixed not to fail tests under Perl 5.25.* (CPAN RT#119114)
- Reworked documentation, based on the one for JSON::XS
- Let json_pp utility show the version of JSON::PP
- Fix loading order of B module (GH#31)
- Fixed isa tests for bignum
- This release by ISHIGAKI → update source URL
- Use five-digit version number for rpm to maintain upgrade path
- Drop EL-5 support
- Drop BuildRoot: and Group: tags
- Drop explicit buildroot cleaning in %install section
- Drop explicit %clean section
This commit is contained in:
Paul Howarth
parent
9fd37210c6
commit
0b943e032f
@ -1,59 +0,0 @@
|
||||
From 869cca1a100a1081676f17a3af95457fc3f146cb Mon Sep 17 00:00:00 2001
|
||||
From: Tony Cook <tony@develop-help.com>
|
||||
Date: Thu, 28 Jul 2016 11:16:43 +1000
|
||||
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
|
||||
|
||||
JSON::PP treats Scalar::Util as optional and may load Encode, which
|
||||
treats Encode::ConfigLocal as optional.
|
||||
|
||||
With the default . in @INC, and if Encode::ConfigLocal is not in
|
||||
the default locations, an attacker can create for example
|
||||
/tmp/Encode/ConfigLocal.pm, and if a process using JSON::PP is started
|
||||
from /tmp, perl will run the attacker's code.
|
||||
|
||||
The change to json_pp is purely precautionary.
|
||||
|
||||
The changes to JSON:PP were not included in the recent security patches
|
||||
since Scalar::Util is always available, and Encode was patched to
|
||||
prevent the problem there.
|
||||
---
|
||||
bin/json_pp | 1 +
|
||||
lib/JSON/PP.pm | 4 ++++
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/bin/json_pp b/bin/json_pp
|
||||
index 3362dec..39bed4d 100644
|
||||
--- a/bin/json_pp
|
||||
+++ b/bin/json_pp
|
||||
@@ -1,5 +1,6 @@
|
||||
#!/usr/bin/perl
|
||||
|
||||
+BEGIN { pop @INC if $INC[-1] eq '.' }
|
||||
use strict;
|
||||
use Getopt::Long;
|
||||
|
||||
diff --git a/lib/JSON/PP.pm b/lib/JSON/PP.pm
|
||||
index 2d27e78..555f6fc 100644
|
||||
--- a/lib/JSON/PP.pm
|
||||
+++ b/lib/JSON/PP.pm
|
||||
@@ -1271,6 +1271,8 @@ sub _decode_unicode {
|
||||
BEGIN {
|
||||
|
||||
unless ( defined &utf8::is_utf8 ) {
|
||||
+ local @INC = @INC;
|
||||
+ pop @INC if $INC[-1] eq '.';
|
||||
require Encode;
|
||||
*utf8::is_utf8 = *Encode::is_utf8;
|
||||
}
|
||||
@@ -1332,6 +1334,8 @@ BEGIN {
|
||||
#
|
||||
|
||||
BEGIN {
|
||||
+ local @INC = @INC;
|
||||
+ pop @INC if $INC[-1] eq '.';
|
||||
eval 'require Scalar::Util';
|
||||
unless($@){
|
||||
*JSON::PP::blessed = \&Scalar::Util::blessed;
|
||||
--
|
||||
2.1.4
|
||||
|
||||
@ -1,14 +1,17 @@
|
||||
# Need to stick with five digit version numbers until 3.x, to maintain upgrade path
|
||||
%global cpan_version 2.93
|
||||
%global five_digit_version %(LC_ALL=C; printf '%.5f' '%{cpan_version}')
|
||||
|
||||
# Need to tweak provides differently if we don't have rpm ≥ 4.9
|
||||
%global rpm49 %(rpm --version | perl -p -e 's/^.* (\\d+)\\.(\\d+).*/sprintf("%d.%03d",$1,$2) ge 4.009 ? 1 : 0/e' 2>/dev/null || echo 0)
|
||||
|
||||
Name: perl-JSON-PP
|
||||
Version: 2.27400
|
||||
Release: 5%{?dist}
|
||||
Version: %{five_digit_version}
|
||||
Release: 1%{?dist}
|
||||
Summary: JSON::XS compatible pure-Perl module
|
||||
License: GPL+ or Artistic
|
||||
Group: Development/Libraries
|
||||
URL: http://search.cpan.org/dist/JSON-PP/
|
||||
Source0: http://search.cpan.org/CPAN/authors/id/M/MA/MAKAMAKA/JSON-PP-%{version}.tar.gz
|
||||
# Avoid loading optional modules from default . (CVE-2016-1238)
|
||||
Patch0: JSON-PP-2.27400-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
|
||||
Source0: http://search.cpan.org/CPAN/authors/id/I/IS/ISHIGAKI/JSON-PP-%{cpan_version}.tar.gz
|
||||
BuildArch: noarch
|
||||
# Module Build
|
||||
BuildRequires: coreutils
|
||||
@ -19,8 +22,6 @@ BuildRequires: perl-generators
|
||||
BuildRequires: perl(ExtUtils::MakeMaker)
|
||||
BuildRequires: perl(lib)
|
||||
# Module Runtime
|
||||
BuildRequires: perl(B)
|
||||
BuildRequires: perl(base)
|
||||
BuildRequires: perl(bytes)
|
||||
BuildRequires: perl(Carp)
|
||||
BuildRequires: perl(constant)
|
||||
@ -29,10 +30,10 @@ BuildRequires: perl(Exporter)
|
||||
BuildRequires: perl(Math::BigFloat)
|
||||
BuildRequires: perl(Math::BigInt)
|
||||
BuildRequires: perl(overload)
|
||||
BuildRequires: perl(Scalar::Util)
|
||||
BuildRequires: perl(Scalar::Util) >= 1.08
|
||||
BuildRequires: perl(strict)
|
||||
BuildRequires: perl(subs)
|
||||
BuildRequires: perl(utf8)
|
||||
BuildRequires: perl(warnings)
|
||||
# Script Runtime
|
||||
BuildRequires: perl(Data::Dumper)
|
||||
BuildRequires: perl(Getopt::Long)
|
||||
@ -51,11 +52,16 @@ Requires: perl(Data::Dumper)
|
||||
Requires: perl(Encode)
|
||||
Requires: perl(Math::BigFloat)
|
||||
Requires: perl(Math::BigInt)
|
||||
Requires: perl(Scalar::Util)
|
||||
Requires: perl(subs)
|
||||
Requires: perl(Scalar::Util) >= 1.08
|
||||
Requires: perl(utf8)
|
||||
Conflicts: perl-JSON < 2.50
|
||||
|
||||
# Provide the five-digit version of the module
|
||||
%if "%{cpan_version}" != "%{five_digit_version}"
|
||||
Provides: perl(JSON::PP) = %{five_digit_version}
|
||||
%global __provides_exclude ^perl\\(JSON::PP\\)
|
||||
%endif
|
||||
|
||||
%description
|
||||
JSON::XS is the fastest and most proper JSON module on CPAN. It is written by
|
||||
Marc Lehmann in C, so must be compiled and installed in the used environment.
|
||||
@ -63,25 +69,28 @@ Marc Lehmann in C, so must be compiled and installed in the used environment.
|
||||
JSON::PP is a pure-Perl module and is compatible with JSON::XS.
|
||||
|
||||
%prep
|
||||
%setup -q -n JSON-PP-%{version}
|
||||
%patch0 -p1
|
||||
%setup -q -n JSON-PP-%{cpan_version}
|
||||
|
||||
# Don't provide less than five-digit version of the module (prior to rpm 4.9)
|
||||
%if ! %{rpm49}
|
||||
%if "%{cpan_version}" != "%{five_digit_version}"
|
||||
%global perl_prov /bin/sh -c "%{__perl_provides} | sed -e '/^perl(JSON::PP)/d'"
|
||||
%global __perl_provides %{perl_prov}
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%build
|
||||
perl Makefile.PL INSTALLDIRS=vendor
|
||||
make %{?_smp_mflags}
|
||||
|
||||
%install
|
||||
rm -rf %{buildroot}
|
||||
make pure_install DESTDIR=%{buildroot}
|
||||
find %{buildroot} -type f -name .packlist -delete
|
||||
%{_fixperms} %{buildroot}
|
||||
%{_fixperms} -c %{buildroot}
|
||||
|
||||
%check
|
||||
make test
|
||||
|
||||
%clean
|
||||
rm -rf %{buildroot}
|
||||
|
||||
%files
|
||||
%doc Changes README
|
||||
%{_bindir}/json_pp
|
||||
@ -91,6 +100,39 @@ rm -rf %{buildroot}
|
||||
%{_mandir}/man3/JSON::PP::Boolean.3*
|
||||
|
||||
%changelog
|
||||
* Wed May 17 2017 Paul Howarth <paul@city-fan.org> - 2.93000-1
|
||||
- Update to 2.93
|
||||
- Changed the number detection logic (experimental)
|
||||
- Correct 0 handling (GH#23)
|
||||
- Removed base.pm dependency (GH#5)
|
||||
- Fixed wrong character offset (CPAN RT#116998)
|
||||
- Address VAX issues (CPAN RT#118469)
|
||||
- Various documentation fixes
|
||||
- Remove . in @INC in json_pp (GH#25, CVE-2016-1238)
|
||||
- Removed $VAR1 from json_pp output (GH#11)
|
||||
- Fixed an issue to ignore trailing 0 (GH#29)
|
||||
- Added Scalar::Util dependency for Perl 5.8+ (CPAN RT#84347)
|
||||
- Fixed issues spotted by Nicolas Seriot's JSON Test Suite including
|
||||
experimental UTF-16/32 support and backward incompatible change of
|
||||
C style comment handling (now disabled by default) (GH#28)
|
||||
- Moved the guts of JSON::PP::Boolean into lib/JSON/PP/Boolean.pm and gave
|
||||
it a proper version
|
||||
- Refactored incremental parser to let it handle incomplete JSON text
|
||||
properly
|
||||
- Imported and tweaked tests from JSON.pm
|
||||
- Minor code clean up
|
||||
- Fixed not to fail tests under Perl 5.25.* (CPAN RT#119114)
|
||||
- Reworked documentation, based on the one for JSON::XS
|
||||
- Let json_pp utility show the version of JSON::PP
|
||||
- Fix loading order of B module (GH#31)
|
||||
- Fixed isa tests for bignum
|
||||
- This release by ISHIGAKI → update source URL
|
||||
- Use five-digit version number for rpm to maintain upgrade path
|
||||
- Drop EL-5 support
|
||||
- Drop BuildRoot: and Group: tags
|
||||
- Drop explicit buildroot cleaning in %%install section
|
||||
- Drop explicit %%clean section
|
||||
|
||||
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.27400-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user