diff --git a/JSON-PP-2.27400-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch b/JSON-PP-2.27400-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch deleted file mode 100644 index b8b177e..0000000 --- a/JSON-PP-2.27400-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 869cca1a100a1081676f17a3af95457fc3f146cb Mon Sep 17 00:00:00 2001 -From: Tony Cook -Date: Thu, 28 Jul 2016 11:16:43 +1000 -Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default . - -JSON::PP treats Scalar::Util as optional and may load Encode, which -treats Encode::ConfigLocal as optional. - -With the default . in @INC, and if Encode::ConfigLocal is not in -the default locations, an attacker can create for example -/tmp/Encode/ConfigLocal.pm, and if a process using JSON::PP is started -from /tmp, perl will run the attacker's code. - -The change to json_pp is purely precautionary. - -The changes to JSON:PP were not included in the recent security patches -since Scalar::Util is always available, and Encode was patched to -prevent the problem there. ---- - bin/json_pp | 1 + - lib/JSON/PP.pm | 4 ++++ - 2 files changed, 5 insertions(+) - -diff --git a/bin/json_pp b/bin/json_pp -index 3362dec..39bed4d 100644 ---- a/bin/json_pp -+++ b/bin/json_pp -@@ -1,5 +1,6 @@ - #!/usr/bin/perl - -+BEGIN { pop @INC if $INC[-1] eq '.' } - use strict; - use Getopt::Long; - -diff --git a/lib/JSON/PP.pm b/lib/JSON/PP.pm -index 2d27e78..555f6fc 100644 ---- a/lib/JSON/PP.pm -+++ b/lib/JSON/PP.pm -@@ -1271,6 +1271,8 @@ sub _decode_unicode { - BEGIN { - - unless ( defined &utf8::is_utf8 ) { -+ local @INC = @INC; -+ pop @INC if $INC[-1] eq '.'; - require Encode; - *utf8::is_utf8 = *Encode::is_utf8; - } -@@ -1332,6 +1334,8 @@ BEGIN { - # - - BEGIN { -+ local @INC = @INC; -+ pop @INC if $INC[-1] eq '.'; - eval 'require Scalar::Util'; - unless($@){ - *JSON::PP::blessed = \&Scalar::Util::blessed; --- -2.1.4 - diff --git a/perl-JSON-PP.spec b/perl-JSON-PP.spec index ae26ed1..14d5038 100644 --- a/perl-JSON-PP.spec +++ b/perl-JSON-PP.spec @@ -1,14 +1,17 @@ +# Need to stick with five digit version numbers until 3.x, to maintain upgrade path +%global cpan_version 2.93 +%global five_digit_version %(LC_ALL=C; printf '%.5f' '%{cpan_version}') + +# Need to tweak provides differently if we don't have rpm ≥ 4.9 +%global rpm49 %(rpm --version | perl -p -e 's/^.* (\\d+)\\.(\\d+).*/sprintf("%d.%03d",$1,$2) ge 4.009 ? 1 : 0/e' 2>/dev/null || echo 0) + Name: perl-JSON-PP -Version: 2.27400 -Release: 5%{?dist} +Version: %{five_digit_version} +Release: 1%{?dist} Summary: JSON::XS compatible pure-Perl module License: GPL+ or Artistic -Group: Development/Libraries URL: http://search.cpan.org/dist/JSON-PP/ -Source0: http://search.cpan.org/CPAN/authors/id/M/MA/MAKAMAKA/JSON-PP-%{version}.tar.gz -# Avoid loading optional modules from default . (CVE-2016-1238) -Patch0: JSON-PP-2.27400-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) +Source0: http://search.cpan.org/CPAN/authors/id/I/IS/ISHIGAKI/JSON-PP-%{cpan_version}.tar.gz BuildArch: noarch # Module Build BuildRequires: coreutils @@ -19,8 +22,6 @@ BuildRequires: perl-generators BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(lib) # Module Runtime -BuildRequires: perl(B) -BuildRequires: perl(base) BuildRequires: perl(bytes) BuildRequires: perl(Carp) BuildRequires: perl(constant) @@ -29,10 +30,10 @@ BuildRequires: perl(Exporter) BuildRequires: perl(Math::BigFloat) BuildRequires: perl(Math::BigInt) BuildRequires: perl(overload) -BuildRequires: perl(Scalar::Util) +BuildRequires: perl(Scalar::Util) >= 1.08 BuildRequires: perl(strict) -BuildRequires: perl(subs) BuildRequires: perl(utf8) +BuildRequires: perl(warnings) # Script Runtime BuildRequires: perl(Data::Dumper) BuildRequires: perl(Getopt::Long) @@ -51,11 +52,16 @@ Requires: perl(Data::Dumper) Requires: perl(Encode) Requires: perl(Math::BigFloat) Requires: perl(Math::BigInt) -Requires: perl(Scalar::Util) -Requires: perl(subs) +Requires: perl(Scalar::Util) >= 1.08 Requires: perl(utf8) Conflicts: perl-JSON < 2.50 +# Provide the five-digit version of the module +%if "%{cpan_version}" != "%{five_digit_version}" +Provides: perl(JSON::PP) = %{five_digit_version} +%global __provides_exclude ^perl\\(JSON::PP\\) +%endif + %description JSON::XS is the fastest and most proper JSON module on CPAN. It is written by Marc Lehmann in C, so must be compiled and installed in the used environment. @@ -63,25 +69,28 @@ Marc Lehmann in C, so must be compiled and installed in the used environment. JSON::PP is a pure-Perl module and is compatible with JSON::XS. %prep -%setup -q -n JSON-PP-%{version} -%patch0 -p1 +%setup -q -n JSON-PP-%{cpan_version} + +# Don't provide less than five-digit version of the module (prior to rpm 4.9) +%if ! %{rpm49} +%if "%{cpan_version}" != "%{five_digit_version}" +%global perl_prov /bin/sh -c "%{__perl_provides} | sed -e '/^perl(JSON::PP)/d'" +%global __perl_provides %{perl_prov} +%endif +%endif %build perl Makefile.PL INSTALLDIRS=vendor make %{?_smp_mflags} %install -rm -rf %{buildroot} make pure_install DESTDIR=%{buildroot} find %{buildroot} -type f -name .packlist -delete -%{_fixperms} %{buildroot} +%{_fixperms} -c %{buildroot} %check make test -%clean -rm -rf %{buildroot} - %files %doc Changes README %{_bindir}/json_pp @@ -91,6 +100,39 @@ rm -rf %{buildroot} %{_mandir}/man3/JSON::PP::Boolean.3* %changelog +* Wed May 17 2017 Paul Howarth - 2.93000-1 +- Update to 2.93 + - Changed the number detection logic (experimental) + - Correct 0 handling (GH#23) + - Removed base.pm dependency (GH#5) + - Fixed wrong character offset (CPAN RT#116998) + - Address VAX issues (CPAN RT#118469) + - Various documentation fixes + - Remove . in @INC in json_pp (GH#25, CVE-2016-1238) + - Removed $VAR1 from json_pp output (GH#11) + - Fixed an issue to ignore trailing 0 (GH#29) + - Added Scalar::Util dependency for Perl 5.8+ (CPAN RT#84347) + - Fixed issues spotted by Nicolas Seriot's JSON Test Suite including + experimental UTF-16/32 support and backward incompatible change of + C style comment handling (now disabled by default) (GH#28) + - Moved the guts of JSON::PP::Boolean into lib/JSON/PP/Boolean.pm and gave + it a proper version + - Refactored incremental parser to let it handle incomplete JSON text + properly + - Imported and tweaked tests from JSON.pm + - Minor code clean up + - Fixed not to fail tests under Perl 5.25.* (CPAN RT#119114) + - Reworked documentation, based on the one for JSON::XS + - Let json_pp utility show the version of JSON::PP + - Fix loading order of B module (GH#31) + - Fixed isa tests for bignum +- This release by ISHIGAKI → update source URL +- Use five-digit version number for rpm to maintain upgrade path +- Drop EL-5 support + - Drop BuildRoot: and Group: tags + - Drop explicit buildroot cleaning in %%install section + - Drop explicit %%clean section + * Sat Feb 11 2017 Fedora Release Engineering - 2.27400-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild diff --git a/sources b/sources index 6fddafd..c9540fa 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -544b03d04d141d66cc27c8b9f835195f JSON-PP-2.27400.tar.gz +SHA512 (JSON-PP-2.93.tar.gz) = e4d798c76044e486c7e3ca23a12803e7bfc5777550b98252e29ebb4361ee10a80b4edddc019f3421261893163fb026d18707ba580e1828744f897ab451d9c2b8