5 changed files with 90 additions and 96 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,6 @@
-SOURCES/XML-Parser-2.44.tar.gz
+XML-Parser-2.36.tar.gz
 /XML-Parser-2.40.tar.gz
 /XML-Parser-2.41.tar.gz
 /XML-Parser-2.43.tar.gz
 /XML-Parser-2.44.tar.gz
 /XML-Parser-2.46.tar.gz
--- a/.perl-XML-Parser.metadata
+++ b/.perl-XML-Parser.metadata
@ -1 +0,0 @@
 0ab6b932713ec1f9927a1b1c619b6889a5c12849 SOURCES/XML-Parser-2.44.tar.gz
--- a/SOURCES/XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch
+++ b/SOURCES/XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch
@ -1,64 +0,0 @@
 From 53e71571fc0b1f8dbad5f7ff6e9eeeb233496c13 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Thu, 13 Dec 2018 13:05:07 +0100
 Subject: [PATCH] Fix a buffer overwrite in parse_stream()
 The parse_stream() function allocates BUFSIZE-byte long output buffer. Then it
 reads a string using PerlIO's read() with a maximal string length tsiz=BUFSIZE
 characters into a temporary buffer. And then it retrieves a length of the string
 in the temporary buffer in bytes and copies the strings from the temporary
 buffer to the output buffer.
 While it works for byte-stream file handles, when using UTF-8 handles, length
 in bytes can be greater than length in characters, thus the temporary buffer
 can contain more bytes than the size of the output buffer and we have a buffer
 overwrite. This corrupts memory, especially metadata for libc memory
 management and subsequent free() aborts with "free(): invalid next size
 (normal)".
 Minimal reproducer: Execute this code with an UTF-8 encoded file with non-ASCII
 charcters on the standard input:
 use XML::XPath;
 use open ':std', ':encoding(UTF-8)';
 my $xpath = XML::XPath->new(ioref => \*STDIN);
 $xpath->find('/');
 https://bugzilla.redhat.com/show_bug.cgi?id=1473368
 https://bugzilla.redhat.com/show_bug.cgi?id=1658512
 ---
 Expat/Expat.xs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
 diff --git a/Expat/Expat.xs b/Expat/Expat.xs
 index ed66531..dbad380 100644
 --- a/Expat/Expat.xs
 +++ b/Expat/Expat.xs
@@ -343,8 +343,8 @@ parse_stream(XML_Parser parser, SV * ioref)
   }
   else {
     tbuff = newSV(0);
 -    tsiz = newSViv(BUFSIZE);
 -    buffsize = BUFSIZE;
 +    tsiz = newSViv(BUFSIZE); /* in UTF-8 characters */
 +    buffsize = BUFSIZE * 6; /* in bytes that encode an UTF-8 string */
   }
   while (! done)
@@ -386,9 +386,11 @@ parse_stream(XML_Parser parser, SV * ioref)
 	  croak("read error");
 	tb = SvPV(tbuff, br);
 -	if (br > 0)
 +	if (br > 0) {
 +	  if (br > buffsize)
 +	    croak("The input buffer is not large enough for read UTF-8 decoded string");
 	  Copy(tb, buffer, br, char);
 -	else
 +	} else
 	  done = 1;
 	PUTBACK ;
 -- 
 2.18.1
--- a/SPECS/perl-XML-Parser.spec
+++ b/SPECS/perl-XML-Parser.spec
@ -1,37 +1,46 @@
 Name:           perl-XML-Parser
-Version:        2.44
+Version:        2.46
-Release:        11%{?dist}
+Release:        9%{?dist}
 Summary:        Perl module for parsing XML documents
 Group:          Development/Libraries
 License:        GPL+ or Artistic
-Url:            http://search.cpan.org/dist/XML-Parser/
+Url:            https://metacpan.org/release/XML-Parser
-Source0:        http://search.cpan.org/CPAN/authors/id/T/TO/TODDR/XML-Parser-%{version}.tar.gz
+Source0:        https://cpan.metacpan.org/authors/id/T/TO/TODDR/XML-Parser-%{version}.tar.gz
 # Fix a buffer overwrite in parse_stream() with wide characters on the standard
 # input, bug #1658512, CPAN RT#128006
 Patch0:         XML-Parser-2.44_01-Fix-a-buffer-overwrite-in-parse_stream.patch
 # Build
 BuildRequires:  coreutils
 BuildRequires:  expat-devel
 BuildRequires:  findutils
 BuildRequires:  gcc
 BuildRequires:  glibc-common
 BuildRequires:  make
 BuildRequires:  perl-devel
 BuildRequires:  perl-generators
-BuildRequires:  perl(Carp)
+BuildRequires:  perl-interpreter
 BuildRequires:  perl(Config)
 BuildRequires:  perl(Devel::CheckLib)
-BuildRequires:  perl(ExtUtils::MakeMaker)
+BuildRequires:  perl(English)
 BuildRequires:  perl(ExtUtils::MakeMaker) >= 6.76
 BuildRequires:  perl(lib)
 # Runtime
 BuildRequires:  perl(Carp)
 BuildRequires:  perl(FileHandle)
 BuildRequires:  perl(File::Spec)
 BuildRequires:  perl(if)
 BuildRequires:  perl(IO::File)
 BuildRequires:  perl(IO::Handle)
-BuildRequires:  perl(lib)
+# LWPExternEnt.pl script is loaded by Parser.pm
 BuildRequires:  perl(strict)
 BuildRequires:  perl(Test)
 BuildRequires:  perl(Test::More)
 BuildRequires:  perl(vars)
 BuildRequires:  perl(warnings)
 BuildRequires:  expat-devel
 # The script LWPExternEnt.pl is loaded by Parser.pm
 BuildRequires:  perl(LWP::UserAgent)
 BuildRequires:  perl(overload)
 BuildRequires:  perl(strict)
 BuildRequires:  perl(URI)
 BuildRequires:  perl(URI::file)
 BuildRequires:  perl(XSLoader)
 # Tests
 BuildRequires:  perl(if)
 BuildRequires:  perl(Test)
 BuildRequires:  perl(Test::More)
 BuildRequires:  perl(warnings)
 Requires:       perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
 Requires:       perl(IO::File)
 Requires:       perl(IO::Handle)
@ -53,28 +62,26 @@ creation time.
 %prep
 %setup -q -n XML-Parser-%{version} 
 %patch0 -p1
 chmod 644 samples/{canonical,xml*}
-perl -pi -e 's|^#!/usr/local/bin/perl\b|#!%{__perl}|' samples/{canonical,xml*}
+perl -MConfig -pi -e 's|^#!/usr/local/bin/perl\b|$Config{startperl}|' samples/{canonical,xml*}
 # Remove bundled library
 rm -r inc
-sed -i -e '/^inc\// d' MANIFEST
+perl -i -ne 'print $_ unless m{^inc/}' MANIFEST
 %build
-CFLAGS="$RPM_OPT_FLAGS" perl Makefile.PL INSTALLDIRS=vendor
+perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 OPTIMIZE="$RPM_OPT_FLAGS"
-make %{?_smp_mflags} OPTIMIZE="$RPM_OPT_FLAGS"
+%{make_build}
 %install
-make pure_install DESTDIR=$RPM_BUILD_ROOT
+%{make_install}
-find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} ';'
+find $RPM_BUILD_ROOT -type f -name '*.bs' -a -size 0 -delete
-find $RPM_BUILD_ROOT -type f -name '*.bs' -a -size 0 -exec rm -f {} ';'
+%{_fixperms} $RPM_BUILD_ROOT/*
 chmod -R u+w $RPM_BUILD_ROOT/*
 for file in samples/REC-xml-19980210.xml; do
  iconv -f iso-8859-1 -t utf-8 < "$file" > "${file}_"
  mv -f "${file}_" "$file"
-  sed -i -e "s/encoding='ISO-8859-1'/encoding='UTF-8'/" "$file"
+  perl -i -pe "s/encoding='ISO-8859-1'/encoding='UTF-8'/" "$file"
 done
 %check
@ -88,9 +95,55 @@ make test
 %changelog
-* Thu Dec 13 2018 Petr Pisar <ppisar@redhat.com> - 2.44-11
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.46-9
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.46-8
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.46-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.46-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue Jul 21 2020 Petr Pisar <ppisar@redhat.com> - 2.46-5
 - Modernize a spec file
 * Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.46-4
 - Perl 5.32 rebuild
 * Tue Mar 10 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.46-3
 - Specify all dependencies
 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.46-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Tue Sep 24 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.46-1
 - 2.46 bump
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.44-17
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.44-16
 - Perl 5.30 rebuild
 * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.44-15
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Thu Dec 13 2018 Petr Pisar <ppisar@redhat.com> - 2.44-14
 - Fix a buffer overwrite in parse_stream() with wide characters on the standard
-  input (bug #1658512)
+  input (bug #1473368)
 * Mon Jul 23 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.44-13
 - Specify all dependencies
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.44-12
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Fri Jun 29 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.44-11
 - Perl 5.28 rebuild
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.44-10
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
--- a/1
+++ b/1
@ -0,0 +1 @@
 SHA512 (XML-Parser-2.46.tar.gz) = c4609495cc5ca34952f61876a690ef76d42eee6689d1bedb8036c9eab918525ec5213f1639c7178c029ee0f8765a2ca5eb0197f6e39b8be6d5dbc3f3c1d0b389
		`@ -1 +0,0 @@`
			`0ab6b932713ec1f9927a1b1c619b6889a5c12849 SOURCES/XML-Parser-2.44.tar.gz`
		`@ -0,0 +1 @@`
							`SHA512 (XML-Parser-2.46.tar.gz) = c4609495cc5ca34952f61876a690ef76d42eee6689d1bedb8036c9eab918525ec5213f1639c7178c029ee0f8765a2ca5eb0197f6e39b8be6d5dbc3f3c1d0b389`