rpms/perl-JSON-PP
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 2.93

Browse Source 
- New upstream release 2.93
  - Changed the number detection logic (experimental)
  - Correct 0 handling (GH#23)
  - Removed base.pm dependency (GH#5)
  - Fixed wrong character offset (CPAN RT#116998)
  - Address VAX issues (CPAN RT#118469)
  - Various documentation fixes
  - Remove . in @INC in json_pp (GH#25, CVE-2016-1238)
  - Removed $VAR1 from json_pp output (GH#11)
  - Fixed an issue to ignore trailing 0 (GH#29)
  - Added Scalar::Util dependency for Perl 5.8+ (CPAN RT#84347)
  - Fixed issues spotted by Nicolas Seriot's JSON Test Suite including
    experimental UTF-16/32 support and backward incompatible change of
    C style comment handling (now disabled by default) (GH#28)
  - Moved the guts of JSON::PP::Boolean into lib/JSON/PP/Boolean.pm and gave
    it a proper version
  - Refactored incremental parser to let it handle incomplete JSON text
    properly
  - Imported and tweaked tests from JSON.pm
  - Minor code clean up
  - Fixed not to fail tests under Perl 5.25.* (CPAN RT#119114)
  - Reworked documentation, based on the one for JSON::XS
  - Let json_pp utility show the version of JSON::PP
  - Fix loading order of B module (GH#31)
  - Fixed isa tests for bignum
- This release by ISHIGAKI → update source URL
- Use five-digit version number for rpm to maintain upgrade path
- Drop EL-5 support
  - Drop BuildRoot: and Group: tags
  - Drop explicit buildroot cleaning in %install section
  - Drop explicit %clean section
This commit is contained in:
Paul Howarth 2017-05-17 10:29:19 +01:00
parent 9fd37210c6
commit 0b943e032f
3 changed files with 63 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
JSON-PP-2.27400-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch
View File

@ -1,59 +0,0 @@
From 869cca1a100a1081676f17a3af95457fc3f146cb Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 28 Jul 2016 11:16:43 +1000
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
JSON::PP treats Scalar::Util as optional and may load Encode, which
treats Encode::ConfigLocal as optional.
With the default . in @INC, and if Encode::ConfigLocal is not in
the default locations, an attacker can create for example
/tmp/Encode/ConfigLocal.pm, and if a process using JSON::PP is started
from /tmp, perl will run the attacker's code.
The change to json_pp is purely precautionary.
The changes to JSON:PP were not included in the recent security patches
since Scalar::Util is always available, and Encode was patched to
prevent the problem there.
---
bin/json_pp | 1 +
lib/JSON/PP.pm | 4 ++++
2 files changed, 5 insertions(+)
diff --git a/bin/json_pp b/bin/json_pp
index 3362dec..39bed4d 100644
--- a/bin/json_pp
+++ b/bin/json_pp
@@ -1,5 +1,6 @@
#!/usr/bin/perl
+BEGIN { pop @INC if $INC[-1] eq '.' }
use strict;
use Getopt::Long;
diff --git a/lib/JSON/PP.pm b/lib/JSON/PP.pm
index 2d27e78..555f6fc 100644
--- a/lib/JSON/PP.pm
+++ b/lib/JSON/PP.pm
@@ -1271,6 +1271,8 @@ sub _decode_unicode {
BEGIN {
unless ( defined &utf8::is_utf8 ) {
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
require Encode;
*utf8::is_utf8 = *Encode::is_utf8;
}
@@ -1332,6 +1334,8 @@ BEGIN {
#
BEGIN {
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
eval 'require Scalar::Util';
unless($@){
*JSON::PP::blessed = \&Scalar::Util::blessed;
--
2.1.4

82
perl-JSON-PP.spec
View File

@ -1,14 +1,17 @@
# Need to stick with five digit version numbers until 3.x, to maintain upgrade path
%global cpan_version 2.93
%global five_digit_version %(LC_ALL=C; printf '%.5f' '%{cpan_version}')
# Need to tweak provides differently if we don't have rpm ≥ 4.9
%global rpm49 %(rpm --version | perl -p -e 's/^.* (\\d+)\\.(\\d+).*/sprintf("%d.%03d",$1,$2) ge 4.009 ? 1 : 0/e' 2>/dev/null || echo 0)
Name: perl-JSON-PP Name: perl-JSON-PP
Version: 2.27400 Version: %{five_digit_version}
Release: 5%{?dist} Release: 1%{?dist}
Summary: JSON::XS compatible pure-Perl module Summary: JSON::XS compatible pure-Perl module
License: GPL+ or Artistic License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/JSON-PP/ URL: http://search.cpan.org/dist/JSON-PP/
Source0: http://search.cpan.org/CPAN/authors/id/M/MA/MAKAMAKA/JSON-PP-%{version}.tar.gz Source0: http://search.cpan.org/CPAN/authors/id/I/IS/ISHIGAKI/JSON-PP-%{cpan_version}.tar.gz
# Avoid loading optional modules from default . (CVE-2016-1238)
Patch0: JSON-PP-2.27400-CVE-2016-1238-avoid-loading-optional-modules-from-de.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
BuildArch: noarch BuildArch: noarch
# Module Build # Module Build
BuildRequires: coreutils BuildRequires: coreutils
@ -19,8 +22,6 @@ BuildRequires: perl-generators
BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(lib) BuildRequires: perl(lib)
# Module Runtime # Module Runtime
BuildRequires: perl(B)
BuildRequires: perl(base)
BuildRequires: perl(bytes) BuildRequires: perl(bytes)
BuildRequires: perl(Carp) BuildRequires: perl(Carp)
BuildRequires: perl(constant) BuildRequires: perl(constant)
@ -29,10 +30,10 @@ BuildRequires: perl(Exporter)
BuildRequires: perl(Math::BigFloat) BuildRequires: perl(Math::BigFloat)
BuildRequires: perl(Math::BigInt) BuildRequires: perl(Math::BigInt)
BuildRequires: perl(overload) BuildRequires: perl(overload)
BuildRequires: perl(Scalar::Util) BuildRequires: perl(Scalar::Util) >= 1.08
BuildRequires: perl(strict) BuildRequires: perl(strict)
BuildRequires: perl(subs)
BuildRequires: perl(utf8) BuildRequires: perl(utf8)
BuildRequires: perl(warnings)
# Script Runtime # Script Runtime
BuildRequires: perl(Data::Dumper) BuildRequires: perl(Data::Dumper)
BuildRequires: perl(Getopt::Long) BuildRequires: perl(Getopt::Long)
@ -51,11 +52,16 @@ Requires: perl(Data::Dumper)
Requires: perl(Encode) Requires: perl(Encode)
Requires: perl(Math::BigFloat) Requires: perl(Math::BigFloat)
Requires: perl(Math::BigInt) Requires: perl(Math::BigInt)
Requires: perl(Scalar::Util) Requires: perl(Scalar::Util) >= 1.08
Requires: perl(subs)
Requires: perl(utf8) Requires: perl(utf8)
Conflicts: perl-JSON < 2.50 Conflicts: perl-JSON < 2.50
# Provide the five-digit version of the module
%if "%{cpan_version}" != "%{five_digit_version}"
Provides: perl(JSON::PP) = %{five_digit_version}
%global __provides_exclude ^perl\\(JSON::PP\\)
%endif
%description %description
JSON::XS is the fastest and most proper JSON module on CPAN. It is written by JSON::XS is the fastest and most proper JSON module on CPAN. It is written by
Marc Lehmann in C, so must be compiled and installed in the used environment. Marc Lehmann in C, so must be compiled and installed in the used environment.
@ -63,25 +69,28 @@ Marc Lehmann in C, so must be compiled and installed in the used environment.
JSON::PP is a pure-Perl module and is compatible with JSON::XS. JSON::PP is a pure-Perl module and is compatible with JSON::XS.
%prep %prep
%setup -q -n JSON-PP-%{version} %setup -q -n JSON-PP-%{cpan_version}
%patch0 -p1
# Don't provide less than five-digit version of the module (prior to rpm 4.9)
%if ! %{rpm49}
%if "%{cpan_version}" != "%{five_digit_version}"
%global perl_prov /bin/sh -c "%{__perl_provides} | sed -e '/^perl(JSON::PP)/d'"
%global __perl_provides %{perl_prov}
%endif
%endif
%build %build
perl Makefile.PL INSTALLDIRS=vendor perl Makefile.PL INSTALLDIRS=vendor
make %{?_smp_mflags} make %{?_smp_mflags}
%install %install
rm -rf %{buildroot}
make pure_install DESTDIR=%{buildroot} make pure_install DESTDIR=%{buildroot}
find %{buildroot} -type f -name .packlist -delete find %{buildroot} -type f -name .packlist -delete
%{_fixperms} %{buildroot} %{_fixperms} -c %{buildroot}
%check %check
make test make test
%clean
rm -rf %{buildroot}
%files %files
%doc Changes README %doc Changes README
%{_bindir}/json_pp %{_bindir}/json_pp
@ -91,6 +100,39 @@ rm -rf %{buildroot}
%{_mandir}/man3/JSON::PP::Boolean.3* %{_mandir}/man3/JSON::PP::Boolean.3*
%changelog %changelog
* Wed May 17 2017 Paul Howarth <paul@city-fan.org> - 2.93000-1
- Update to 2.93
- Changed the number detection logic (experimental)
- Correct 0 handling (GH#23)
- Removed base.pm dependency (GH#5)
- Fixed wrong character offset (CPAN RT#116998)
- Address VAX issues (CPAN RT#118469)
- Various documentation fixes
- Remove . in @INC in json_pp (GH#25, CVE-2016-1238)
- Removed $VAR1 from json_pp output (GH#11)
- Fixed an issue to ignore trailing 0 (GH#29)
- Added Scalar::Util dependency for Perl 5.8+ (CPAN RT#84347)
- Fixed issues spotted by Nicolas Seriot's JSON Test Suite including
experimental UTF-16/32 support and backward incompatible change of
C style comment handling (now disabled by default) (GH#28)
- Moved the guts of JSON::PP::Boolean into lib/JSON/PP/Boolean.pm and gave
it a proper version
- Refactored incremental parser to let it handle incomplete JSON text
properly
- Imported and tweaked tests from JSON.pm
- Minor code clean up
- Fixed not to fail tests under Perl 5.25.* (CPAN RT#119114)
- Reworked documentation, based on the one for JSON::XS
- Let json_pp utility show the version of JSON::PP
- Fix loading order of B module (GH#31)
- Fixed isa tests for bignum
- This release by ISHIGAKI update source URL
- Use five-digit version number for rpm to maintain upgrade path
- Drop EL-5 support
- Drop BuildRoot: and Group: tags
- Drop explicit buildroot cleaning in %%install section
- Drop explicit %%clean section
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.27400-5 * Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.27400-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
544b03d04d141d66cc27c8b9f835195f JSON-PP-2.27400.tar.gz SHA512 (JSON-PP-2.93.tar.gz) = e4d798c76044e486c7e3ca23a12803e7bfc5777550b98252e29ebb4361ee10a80b4edddc019f3421261893163fb026d18707ba580e1828744f897ab451d9c2b8