From 56325e4eaf8fb77bb9c2d0f55daf853b8606ec19 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 4 Dec 2025 12:43:58 +0000 Subject: [PATCH] Import from AlmaLinux stable repository --- ...-ScanDeps-1.30-fix-parsing-of-use-if.patch | 31 ++++ ...canDeps-1.30-replace-eval-constructs.patch | 139 ++++++++++++++++++ ...canDeps-1.30-use-three-argument-open.patch | 20 +++ SPECS/perl-Module-ScanDeps.spec | 80 +++++++++- 4 files changed, 267 insertions(+), 3 deletions(-) create mode 100644 SOURCES/Module-ScanDeps-1.30-fix-parsing-of-use-if.patch create mode 100644 SOURCES/Module-ScanDeps-1.30-replace-eval-constructs.patch create mode 100644 SOURCES/Module-ScanDeps-1.30-use-three-argument-open.patch diff --git a/SOURCES/Module-ScanDeps-1.30-fix-parsing-of-use-if.patch b/SOURCES/Module-ScanDeps-1.30-fix-parsing-of-use-if.patch new file mode 100644 index 0000000..0eaac8f --- /dev/null +++ b/SOURCES/Module-ScanDeps-1.30-fix-parsing-of-use-if.patch @@ -0,0 +1,31 @@ +From 90476aae7c2b5ef7d94ac1b22672ca8dc4adae20 Mon Sep 17 00:00:00 2001 +From: rschupp +Date: Thu, 14 Nov 2024 23:09:10 +0100 +Subject: [PATCH] fix parsing of "use if ..." + +--- + lib/Module/ScanDeps.pm | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/lib/Module/ScanDeps.pm ++++ b/lib/Module/ScanDeps.pm +@@ -874,7 +874,7 @@ sub scan_line { + } + } + +- if (my ($pragma, $args) = /^use \s+ (autouse|if) \s+ (.+)/x) ++ if (my ($pragma, $args) = /^(?:use|no) \s+ (autouse|if) \s+ (.+)/x) + { + # NOTE: There are different ways the MODULE may + # be specified for the "autouse" and "if" pragmas, e.g. +@@ -887,7 +887,9 @@ sub scan_line { + else { + # The syntax of the "if" pragma is + # use if COND, MODULE => ARGUMENTS +- (undef, $module) = _parse_module_list($args); ++ # NOTE: This works only for simple conditions. ++ $args =~ s/.*? (?:,|=>) \s*//x; ++ ($module) = _parse_module_list($args); + } + $found{_mod2pm($pragma)}++; + $found{_mod2pm($module)}++ if $module; diff --git a/SOURCES/Module-ScanDeps-1.30-replace-eval-constructs.patch b/SOURCES/Module-ScanDeps-1.30-replace-eval-constructs.patch new file mode 100644 index 0000000..7be04f1 --- /dev/null +++ b/SOURCES/Module-ScanDeps-1.30-replace-eval-constructs.patch @@ -0,0 +1,139 @@ +From bc57e5072fc7ace1d206246999dd852652939335 Mon Sep 17 00:00:00 2001 +From: rschupp +Date: Mon, 21 Oct 2024 14:08:01 +0200 +Subject: [PATCH] replace 'eval "..."' constructs + +--- + lib/Module/ScanDeps.pm | 122 ++++++++++++++++++++++++++--------------- + 1 file changed, 78 insertions(+), 44 deletions(-) + +--- a/lib/Module/ScanDeps.pm ++++ b/lib/Module/ScanDeps.pm +@@ -880,41 +880,26 @@ sub scan_line { + # be specified for the "autouse" and "if" pragmas, e.g. + # use autouse Module => qw(func1 func2); + # use autouse "Module", qw(func1); +- # To avoid to parse them ourself, we simply try to eval the +- # string after the pragma (in a list context). The MODULE +- # should be the first ("autouse") or second ("if") element +- # of the list. + my $module; +- { +- no strict; no warnings; +- if ($pragma eq "autouse") { +- ($module) = eval $args; +- } +- else { +- # The syntax of the "if" pragma is +- # use if COND, MODULE => ARGUMENTS +- # The COND may contain undefined functions (i.e. undefined +- # in Module::ScanDeps' context) which would throw an +- # exception. Sneak "1 || " in front of COND so that +- # COND will not be evaluated. This will work in most +- # cases, but there are operators with lower precedence +- # than "||" which will cause this trick to fail. +- (undef, $module) = eval "1 || $args"; +- } +- # punt if there was a syntax error +- return if $@ or !defined $module; +- }; +- $module =~ s{::}{/}g; +- $found{"$pragma.pm"}++; +- $found{"$module.pm"}++; ++ if ($pragma eq "autouse") { ++ ($module) = _parse_module_list($args); ++ } ++ else { ++ # The syntax of the "if" pragma is ++ # use if COND, MODULE => ARGUMENTS ++ (undef, $module) = _parse_module_list($args); ++ } ++ $found{_mod2pm($pragma)}++; ++ $found{_mod2pm($module)}++ if $module; + next CHUNK; + } + +- if (my ($how, $libs) = /^(use \s+ lib \s+ | (?:unshift|push) \s+ \@INC \s+ ,) (.+)/x) ++ if (my ($how, $libs) = /^(use \s+ lib \s+ | (?:unshift|push) \s+ \@INC \s*,\s*) (.+)/x) + { + my $archname = defined($Config{archname}) ? $Config{archname} : ''; + my $ver = defined($Config{version}) ? $Config{version} : ''; +- foreach my $dir (do { no strict; no warnings; eval $libs }) { ++ while ((my $dir, $libs) = _parse_libs($libs)) ++ { + next unless defined $dir; + my @dirs = $dir; + push @dirs, "$dir/$ver", "$dir/$archname", "$dir/$ver/$archname" +@@ -932,6 +917,72 @@ sub scan_line { + return sort keys %found; + } + ++# convert module name to file name ++sub _mod2pm { ++ my $mod = shift; ++ $mod =~ s!::!/!g; ++ return "$mod.pm"; ++} ++ ++# parse a comma-separated list of module names (as string literals or qw() lists) ++sub _parse_module_list { ++ my $list = shift; ++ ++ # split $list on anything that's not a word character or ":" ++ # and ignore "q", "qq" and "qw" ++ return grep { length and !/^:|^q[qw]?$/ } split(/[^\w:]+/, $list); ++} ++ ++# incrementally parse a comma separated list library paths: ++# returning a pair: the contents of the first strings literal and the remainder of the string ++# - for "string", 'string', q/string/, qq/string/ also unescape \\ and \) ++# - for qw(foo bar quux) return ("foo", qw(bar quux)) ++# - otherwise skip over the first comma and return (undef, "remainder") ++# - return () if the string is exhausted ++# - as a special case, if the string starts with $FindBin::Bin, replace it with our $Bin ++sub _parse_libs { ++ local $_ = shift; ++ ++ s/^[\s,]*//; ++ return if $_ eq ""; ++ ++ if (s/^(['"]) ((?:\\.|.)*?) \1//x) { ++ return (_unescape($1, $2), $_); ++ } ++ if (s/^qq? \s* (\W)//x) { ++ my $opening_delim = $1; ++ (my $closing_delim = $opening_delim) =~ tr:([{<:)]}>:; ++ s/^((?:\\.|.)*?) \Q$closing_delim\E//x; ++ return (_unescape($opening_delim, $1), $_); ++ } ++ ++ if (s/^qw \s* (\W)//x) { ++ my $opening_delim = $1; ++ (my $closing_delim = $opening_delim) =~ tr:([{<:)]}>:; ++ s/^((?:\\.|.)*?) \Q$closing_delim\E//x; ++ my $contents = $1; ++ my @list = split(" ", $contents); ++ return (undef, $_) unless @list; ++ my $first = shift @list; ++ return (_unescape($opening_delim, $first), ++ @list ? "qw${opening_delim}@list${closing_delim}$_" : $_); ++ } ++ ++ # nothing recognizable in the first list item, skip to the next ++ if (s/^.*? ,//x) { ++ return (undef, $_); ++ } ++ return; # list exhausted ++} ++ ++sub _unescape { ++ my ($delim, $str) = @_; ++ $str =~ s/\\([\\\Q$delim\E])/$1/g; ++ $str =~ s/^\$FindBin::Bin\b/$FindBin::Bin/; ++ ++ return $str; ++} ++ + # short helper for scan_chunk + my %LoaderRegexp; # cache + sub _build_loader_regexp { diff --git a/SOURCES/Module-ScanDeps-1.30-use-three-argument-open.patch b/SOURCES/Module-ScanDeps-1.30-use-three-argument-open.patch new file mode 100644 index 0000000..13cdd73 --- /dev/null +++ b/SOURCES/Module-ScanDeps-1.30-use-three-argument-open.patch @@ -0,0 +1,20 @@ +From 9a46eab1c78656386ba9d18bc4b341f4b2561635 Mon Sep 17 00:00:00 2001 +From: rschupp +Date: Mon, 21 Oct 2024 14:03:19 +0200 +Subject: [PATCH] use three-argument open() + +--- + lib/Module/ScanDeps.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/Module/ScanDeps.pm ++++ b/lib/Module/ScanDeps.pm +@@ -810,7 +810,7 @@ sub scan_file{ + my $file = shift; + my %found; + my $FH; +- open $FH, $file or die "Cannot open $file: $!"; ++ open $FH, "<", $file or die "Cannot open $file: $!"; + + $SeenTk = 0; + # Line-by-line scanning diff --git a/SPECS/perl-Module-ScanDeps.spec b/SPECS/perl-Module-ScanDeps.spec index 633994e..f061584 100644 --- a/SPECS/perl-Module-ScanDeps.spec +++ b/SPECS/perl-Module-ScanDeps.spec @@ -1,18 +1,24 @@ -# Run prefork optional test +# Run prefork and optional test %if ! (0%{?rhel}) %{bcond_without perl_Module_ScanDeps_enables_prefork} +%{bcond_without perl_Module_ScanDeps_enables_optional_tests} %else %{bcond_with perl_Module_ScanDeps_enables_prefork} +%{bcond_with perl_Module_ScanDeps_enables_optional_tests} %endif Name: perl-Module-ScanDeps Summary: Recursively scan Perl code for dependencies Version: 1.30 -Release: 5%{?dist} +Release: 6%{?dist} License: GPL+ or Artistic URL: https://metacpan.org/release/Module-ScanDeps Source0: https://cpan.metacpan.org/authors/id/R/RS/RSCHUPP/Module-ScanDeps-%{version}.tar.gz BuildArch: noarch +# Fixed CVE-2024-10224, in upstream since 1.36 +Patch1: Module-ScanDeps-1.30-use-three-argument-open.patch +Patch2: Module-ScanDeps-1.30-replace-eval-constructs.patch +Patch3: Module-ScanDeps-1.30-fix-parsing-of-use-if.patch BuildRequires: coreutils BuildRequires: make BuildRequires: perl-generators @@ -57,6 +63,7 @@ BuildRequires: perl(Net::FTP) BuildRequires: perl(Test::More) BuildRequires: perl(Test::Requires) # Optional tests: +%if %{with perl_Module_ScanDeps_enables_optional_tests} BuildRequires: perl(Module::Pluggable) %if !%{defined perl_bootstrap} && %{with perl_Module_ScanDeps_enables_prefork} # Cycle: perl-Module-ScanDeps → perl-prefork → perl-Perl-MinimumVersion @@ -66,7 +73,7 @@ BuildRequires: perl(Module::Pluggable) BuildRequires: perl(prefork) %endif BuildRequires: perl(Test::Pod) >= 1.00 -Requires: perl(:MODULE_COMPAT_%(eval "$(perl -V:version)"; echo $version)) +%endif Requires: perl(B) Requires: perl(DynaLoader) Requires: perl(Data::Dumper) @@ -78,13 +85,52 @@ Recommends: perl(Digest::MD5) Recommends: perl(Storable) Suggests: perl(CPANPLUS::Backend) +# Filter modules bundled for tests +%global __provides_exclude_from %{?__provides_exclude_from:%__provides_exclude_from|}^%{_libexecdir}/%{name} +%global __requires_exclude_from %{?__requires_exclude_from:%__requires_exclude_from|}^%{_libexecdir}/%{name}/t/data +%global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\(Utils\\) +%if %{defined perl_bootstrap} || %{without perl_Module_ScanDeps_enables_prefork} +%global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\(prefork\\) +%endif + %description This module scans potential modules used by perl programs and returns a hash reference. Its keys are the module names as they appear in %%INC (e.g. Test/More.pm). The values are hash references. +%package tests +Summary: Tests for %{name} +Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release} +Requires: perl-Test-Harness +Requires: perl(AutoLoader) +Requires: perl(autouse) +Requires: perl(Carp) +Requires: perl(if) +Requires: perl(less) +Requires: perl(Net::FTP) +# Optional tests: +%if %{with perl_Module_ScanDeps_enables_optional_tests} +Requires: perl(Module::Pluggable) +%if !%{defined perl_bootstrap} && %{with perl_Module_ScanDeps_enables_prefork} +Requires: perl(prefork) +%endif +%endif + +%description tests +Tests from %{name}. Execute them +with "%{_libexecdir}/%{name}/test". + %prep %setup -q -n Module-ScanDeps-%{version} +%patch -P1 -p1 +%patch -P2 -p1 +%patch -P3 -p1 + +# Help file to recognise the Perl scripts +for F in `find t -name *.t -o -name *.pl`; do + perl -i -MConfig -ple 'print $Config{startperl} if $. == 1 && !s{\A#!.*perl\b}{$Config{startperl}}' "$F" + chmod +x "$F" +done %build perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 @@ -94,7 +140,27 @@ perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 %{make_install} %{_fixperms} %{buildroot} +# Install tests +mkdir -p %{buildroot}%{_libexecdir}/%{name} +cp -a t %{buildroot}%{_libexecdir}/%{name} +rm -f %{buildroot}%{_libexecdir}/%{name}/t/0-pod.t +perl -i -pe 's{ "-Mblib",}{}' %{buildroot}%{_libexecdir}/%{name}/t/19-autosplit.t +cat > %{buildroot}%{_libexecdir}/%{name}/test << 'EOF' +#!/bin/bash +set -e +# Some tests write into temporary files/directories. The easiest solution +# is to copy the tests into a writable directory and execute them from there. +DIR=$(mktemp -d) +pushd "$DIR" +cp -a %{_libexecdir}/%{name}/* ./ +prove -I . -j "$(getconf _NPROCESSORS_ONLN)" +popd +rm -rf "$DIR" +EOF +chmod +x %{buildroot}%{_libexecdir}/%{name}/test + %check +export HARNESS_OPTIONS=j$(perl -e 'if ($ARGV[0] =~ /.*-j([0-9][0-9]*).*/) {print $1} else {print 1}' -- '%{?_smp_mflags}') make test %files @@ -105,7 +171,15 @@ make test %{_mandir}/man1/scandeps.pl.1* %{_mandir}/man3/Module::ScanDeps.3pm* +%files tests +%{_libexecdir}/%{name} + %changelog +* Fri Nov 22 2024 Jitka Plesnikova - 1.30-6 +- Resolves: RHEL-68282 +- Fix CVE-2024-10224 +- Package tests + * Mon Aug 09 2021 Mohan Boddu - 1.30-5 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688