Compare commits

...

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

6 changed files with 119 additions and 174 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/YAML-LibYAML-0.70.tar.gz
SOURCES/YAML-LibYAML-0.82.tar.gz

View File

@ -1 +1 @@
6b3211de4382b43a06a6941ec8321c2fbefa03bf SOURCES/YAML-LibYAML-0.70.tar.gz
92ba858a2594e7e18472cc03e91b12dc921810a9 SOURCES/YAML-LibYAML-0.82.tar.gz

View File

@ -0,0 +1,12 @@
diff -up YAML-LibYAML-0.79/LibYAML/Makefile.PL.orig YAML-LibYAML-0.79/LibYAML/Makefile.PL
--- YAML-LibYAML-0.79/LibYAML/Makefile.PL.orig 2019-06-11 21:35:34.000000000 +0200
+++ YAML-LibYAML-0.79/LibYAML/Makefile.PL 2019-06-12 08:53:09.437296055 +0200
@@ -25,7 +25,7 @@ WriteMakefile(
# CCFLAGS => '-pedantic -Wall',
# CCFLAGS => '-Wall',
DEFINE => $DEFINE,
- LIBS => [''], # e.g., '-lm'
+ LIBS => ['-lyaml'], # e.g., '-lm'
INC => '-I.',
OBJECT => $obj_files,
ABSTRACT_FROM => 'lib/YAML/XS/LibYAML.pm',

View File

@ -1,27 +0,0 @@
From 5fe9daed726c06900c3cd41a739460057bec6dc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tina=20M=C3=BCller?= <cpan2@tinita.de>
Date: Wed, 29 Jan 2025 21:17:28 +0100
Subject: [PATCH] Use 3-arg form of open in LoadFile
Fixes https://github.com/ingydotnet/yaml-libyaml-pm/issues/120
Otherwise `$filename = ">file.yaml"; LoadFile($filename)` will truncate a file.
One should check untrusted filenames in any case, though.
---
lib/YAML/XS.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/YAML/XS.pm b/lib/YAML/XS.pm
index 66ff5ba..e8df694 100644
--- a/lib/YAML/XS.pm
+++ b/lib/YAML/XS.pm
@@ -54,7 +54,7 @@ sub LoadFile {
$IN = $filename;
}
else {
- open $IN, $filename
+ open $IN, '<', $filename
or die "Can't open '$filename' for input:\n$!";
}
return YAML::XS::LibYAML::Load(do { local $/; local $_ = <$IN> });

View File

@ -1,76 +0,0 @@
From d287c87f41d5b0438d94d8fad1f285d17530fc69 Mon Sep 17 00:00:00 2001
From: Shlomi Fish <shlomif@shlomifish.org>
Date: Fri, 7 Feb 2025 15:08:56 +0200
Subject: [PATCH] regress test for GH#120. 3args open.
---
Makefile.PL | 4 ++++
t/security-gh120.t | 28 ++++++++++++++++++++++++++++
2 files changed, 32 insertions(+)
create mode 100644 t/security-gh120.t
#diff --git a/Makefile.PL b/Makefile.PL
#index 49a917d..371533a 100644
#--- a/Makefile.PL
#+++ b/Makefile.PL
#@@ -26,10 +26,12 @@ my %WriteMakefileArgs = (
# "warnings" => 0
# },
# "TEST_REQUIRES" => {
#+ "Cwd" => 0,
# "Devel::Peek" => 0,
# "Encode" => 0,
# "File::Find" => 0,
# "File::Path" => 0,
#+ "File::Temp" => 0,
# "FindBin" => 0,
# "IO::File" => 0,
# "IO::Pipe" => 0,
#@@ -50,11 +52,13 @@ my %WriteMakefileArgs = (
#
# my %FallbackPrereqs = (
# "B::Deparse" => 0,
#+ "Cwd" => 0,
# "Devel::Peek" => 0,
# "Encode" => 0,
# "Exporter" => 0,
# "File::Find" => 0,
# "File::Path" => 0,
#+ "File::Temp" => 0,
# "FindBin" => 0,
# "IO::File" => 0,
# "IO::Pipe" => 0,
diff --git a/t/security-gh120.t b/t/security-gh120.t
new file mode 100644
index 0000000..1102550
--- /dev/null
+++ b/t/security-gh120.t
@@ -0,0 +1,28 @@
+use FindBin '$Bin';
+use lib $Bin;
+use TestYAMLTests tests => 1;
+
+# https://github.com/ingydotnet/yaml-libyaml-pm/issues/120
+#
+
+use YAML::XS qw/DumpFile LoadFile/;
+use File::Temp qw/ tempdir /;
+
+use Cwd qw/ getcwd /;
+
+my $PWD = getcwd();
+my $dir = tempdir( CLEANUP => 1 );
+
+chdir($dir);
+
+my $fn = "dont-clobber-me";
+open my $fh, ">", ">$fn";
+$fh->print( "$fn\n" x 500 );
+close($fh);
+
+my $ret = LoadFile(">$fn");
+
+my $size = ( -s ">$fn" );
+ok( scalar( $size > 2000 ), "file was not clobbered; size = '$size'" );
+
+chdir($PWD);

View File

@ -7,26 +7,27 @@
Name: perl-YAML-LibYAML
Epoch: 1
Version: 0.70
Release: 2%{?dist}
Version: 0.82
Release: 6%{?dist}
Summary: Perl YAML Serialization using XS and libyaml
License: GPL+ or Artistic
URL: https://metacpan.org/release/YAML-LibYAML
Source0: https://cpan.metacpan.org/authors/id/T/TI/TINITA/YAML-LibYAML-%{version}.tar.gz
# Use 3-arg form of open in LoadFile (CVE-2025-40908)
Patch1: YAML-LibYAML-0.903-Use-3-arg-form-of-open-in-LoadFile.patch
Patch2: YAML-LibYAML-0.903-regress-test-for-3args-open.patch
Source0: https://cpan.metacpan.org/modules/by-module/YAML/YAML-LibYAML-%{version}.tar.gz
Patch0: YAML-LibYAML-0.79-Unbundled-libyaml.patch
# Build
BuildRequires: coreutils
BuildRequires: findutils
BuildRequires: gcc
BuildRequires: make
BuildRequires: libyaml >= 0.2.4
BuildRequires: libyaml-devel >= 0.2.4
BuildRequires: perl-devel
BuildRequires: perl-generators
BuildRequires: perl-interpreter
BuildRequires: perl(Config)
BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76
BuildRequires: sed
# Module
BuildRequires: perl(B::Deparse)
@ -42,13 +43,11 @@ BuildRequires: perl(XSLoader)
BuildRequires: perl(B)
BuildRequires: perl(blib)
BuildRequires: perl(Carp)
BuildRequires: perl(Cwd)
BuildRequires: perl(Data::Dumper)
BuildRequires: perl(Devel::Peek)
BuildRequires: perl(Encode)
BuildRequires: perl(File::Find)
BuildRequires: perl(File::Path)
BuildRequires: perl(File::Temp)
BuildRequires: perl(Filter::Util::Call)
BuildRequires: perl(FindBin)
BuildRequires: perl(IO::File)
@ -68,82 +67,38 @@ BuildRequires: perl(Path::Class)
# Dependencies
Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
Requires: perl(B::Deparse)
# libyaml is tweaked and bundled
# https://github.com/ingydotnet/yaml-libyaml-pm/issues/49
# version number determined by comparing commits in upstream repo:
# https://bitbucket.org/xi/libyaml/commits/branch/default
Provides: bundled(libyaml) = 0.1.7
Requires: libyaml >= 0.2.4
# Avoid provides for perl shared objects
%{?perl_default_filter}
# Filter modules bundled for tests
%global __provides_exclude_from %{?__provides_exclude_from:%__provides_exclude_from|}^%{_libexecdir}
%global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\(Spiffy\\)
%global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\(TestYAML.*\\)
%global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\(Test::Base.*\\)
%description
Kirill Siminov's "libyaml" is arguably the best YAML implementation. The C
library is written precisely to the YAML 1.1 specification. It was originally
bound to Python and was later bound to Ruby.
%package tests
Summary: Tests for %{name}
Requires: %{name} = %{?epoch:%{epoch}:}%{version}-%{release}
Requires: perl-Test-Harness
Requires: perl(Filter::Util::Call)
%description tests
Tests from %{name}. Execute them
with "%{_libexecdir}/%{name}/test".
%prep
%setup -q -n YAML-LibYAML-%{version}
%patch -P1 -p1
%patch -P2 -p1
# Help generators to recognize Perl scripts
for F in t/*.t; do
perl -i -MConfig -ple 'print $Config{startperl} if $. == 1 && !s{\A#!.*perl\b}{$Config{startperl}}' "$F"
chmod +x "$F"
# Unbundled libyaml, the source files are the same as in libyaml-0.2.4
# It was determined by comparing commits in upstream repo:
# https://github.com/yaml/libyaml/
%patch0 -p1 -b .orig
for file in api.c dumper.c emitter.c loader.c parser.c reader.c scanner.c \
writer.c yaml.h yaml_private.h; do
rm LibYAML/$file
sed -i -e "/^LibYAML\/$file/d" MANIFEST
done
%build
perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1
make %{?_smp_mflags}
perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1 NO_PERLLOCAL=1
%{make_build}
%install
make pure_install DESTDIR=%{buildroot}
%{make_install}
find %{buildroot} -type f -name '*.bs' -empty -delete
%{_fixperms} -c %{buildroot}
# Install tests
mkdir -p %{buildroot}%{_libexecdir}/%{name}
cp -a t inc %{buildroot}%{_libexecdir}/%{name}
# It needs libraries in lib/ not in system directories
rm %{buildroot}%{_libexecdir}/%{name}/t/000-require-modules.t
# Remove author test
rm %{buildroot}%{_libexecdir}/%{name}/t/author-pod-syntax.t
# Don't use blib
perl -i -pe 's{^use blib;}{#use blib;}' %{buildroot}%{_libexecdir}/%{name}/t/TestYAML.pm
perl -i -pe 's{^use_blib: 1}{use_blib: 0}' %{buildroot}%{_libexecdir}/%{name}/t/yaml_tests.yaml
cat > %{buildroot}%{_libexecdir}/%{name}/test << 'EOF'
#!/bin/bash
set -e
# Some tests write into temporary files/directories. The solution is to
# copy the tests into a writable directory and execute them from there.
DIR=$(mktemp -d)
pushd "$DIR"
cp -a %{_libexecdir}/%{name}/* ./
prove -I . -I inc -j "$(getconf _NPROCESSORS_ONLN)"
popd
rm -rf "$DIR"
EOF
chmod +x %{buildroot}%{_libexecdir}/%{name}/test
%check
export HARNESS_OPTIONS=j$(perl -e 'if ($ARGV[0] =~ /.*-j([0-9][0-9]*).*/) {print $1} else {print 1}' -- '%{?_smp_mflags}')
make test
%files
@ -155,12 +110,93 @@ make test
%{_mandir}/man3/YAML::XS.3*
%{_mandir}/man3/YAML::XS::LibYAML.3*
%files tests
%{_libexecdir}/%{name}
%changelog
* Thu Jun 05 2025 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.70-2
- Use 3-arg form of open in LoadFile (CVE-2025-40908)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.82-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.82-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.82-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.82-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.82-2
- Perl 5.32 rebuild
* Sun May 3 2020 Paul Howarth <paul@city-fan.org> - 1:0.82-1
- Update to 0.82
- Updated libyaml sources to 0.2.4; changes affecting YAML::XS are:
- Output '...' at the stream end after a block scalar with trailing empty
lines
- Accept '%%YAML 1.2' directives (they are ignored and do not change
behaviour though)
* Tue Jan 28 2020 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.81-1
- Update to 0.81
- Breaking Change: Set $YAML::XS::LoadBlessed default to false to make it
more secure
* Thu Aug 22 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.80-1
- Update to 0.80
- Fix memory leak when loading invalid YAML
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.79-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Jun 12 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.79-1
- Update to 0.79
- Support aliasing scalars resolved as null or booleans
- Add YAML::XS::LibYAML::libyaml_version()
- Support standard !!int/!!float tags instead of dying
- Unbundled libyaml, it is identical with upstream 0.2.2
* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.78-2
- Perl 5.30 rebuild
* Sun May 19 2019 Paul Howarth <paul@city-fan.org> - 1:0.78-1
- Update to 0.78
- Fix double free/core dump when Dump()ing binary data (GH#91)
- Update config.h from libyaml
- Modernize spec using %%{make_build} and %%{make_install}
* Tue Apr 16 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.77-1
- Update to 0.77
- Update libyaml to version 0.2.2 - Most important change for users is that
plain urls in flow style can be parsed now
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.76-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Jan 02 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.76-1
- Update to 0.76
- Add $Indent - number of spaces when dumping
- Fix typo and links in docs
* Sat Nov 3 2018 Paul Howarth <paul@city-fan.org> - 1:0.75-1
- Update to 0.75
- Implement $LoadCode
* Mon Sep 3 2018 Paul Howarth <paul@city-fan.org> - 1:0.74-1
- Update to 0.74
- Fix tests on older perls
- Support back to perl 5.8.1
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.72-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jul 09 2018 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.72-1
- Update to 0.72
- Update to libyaml 0.2.1 - It's forbidden now to escape single
quotes inside double quotes
- When disabling $LoadBlessed, return scalars not refs
- Save anchors also for blessed scalars
* Thu Jun 28 2018 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.70-2
- Perl 5.28 rebuild
* Sun Jun 10 2018 Paul Howarth <paul@city-fan.org> - 1:0.70-1
- Update to 0.70