6 changed files with 119 additions and 174 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/YAML-LibYAML-0.70.tar.gz
+SOURCES/YAML-LibYAML-0.82.tar.gz
--- a/.perl-YAML-LibYAML.metadata
+++ b/.perl-YAML-LibYAML.metadata
@ -1 +1 @@
-6b3211de4382b43a06a6941ec8321c2fbefa03bf SOURCES/YAML-LibYAML-0.70.tar.gz
+92ba858a2594e7e18472cc03e91b12dc921810a9 SOURCES/YAML-LibYAML-0.82.tar.gz
--- a/SOURCES/YAML-LibYAML-0.79-Unbundled-libyaml.patch
+++ b/SOURCES/YAML-LibYAML-0.79-Unbundled-libyaml.patch
@ -0,0 +1,12 @@
 diff -up YAML-LibYAML-0.79/LibYAML/Makefile.PL.orig YAML-LibYAML-0.79/LibYAML/Makefile.PL
 --- YAML-LibYAML-0.79/LibYAML/Makefile.PL.orig	2019-06-11 21:35:34.000000000 +0200
 +++ YAML-LibYAML-0.79/LibYAML/Makefile.PL	2019-06-12 08:53:09.437296055 +0200
@@ -25,7 +25,7 @@ WriteMakefile(
     # CCFLAGS => '-pedantic -Wall',
     # CCFLAGS => '-Wall',
     DEFINE => $DEFINE,
 -    LIBS => [''], # e.g., '-lm'
 +    LIBS => ['-lyaml'], # e.g., '-lm'
     INC => '-I.',
     OBJECT => $obj_files,
     ABSTRACT_FROM => 'lib/YAML/XS/LibYAML.pm',
--- a/SOURCES/YAML-LibYAML-0.903-Use-3-arg-form-of-open-in-LoadFile.patch
+++ b/SOURCES/YAML-LibYAML-0.903-Use-3-arg-form-of-open-in-LoadFile.patch
@ -1,27 +0,0 @@
 From 5fe9daed726c06900c3cd41a739460057bec6dc3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Tina=20M=C3=BCller?= <cpan2@tinita.de>
 Date: Wed, 29 Jan 2025 21:17:28 +0100
 Subject: [PATCH] Use 3-arg form of open in LoadFile
 Fixes https://github.com/ingydotnet/yaml-libyaml-pm/issues/120
 Otherwise `$filename = ">file.yaml"; LoadFile($filename)` will truncate a file.
 One should check untrusted filenames in any case, though.
 ---
 lib/YAML/XS.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/lib/YAML/XS.pm b/lib/YAML/XS.pm
 index 66ff5ba..e8df694 100644
 --- a/lib/YAML/XS.pm
 +++ b/lib/YAML/XS.pm
@@ -54,7 +54,7 @@ sub LoadFile {
         $IN = $filename;
     }
     else {
 -        open $IN, $filename
 +        open $IN, '<', $filename
           or die "Can't open '$filename' for input:\n$!";
     }
     return YAML::XS::LibYAML::Load(do { local $/; local $_ = <$IN> });
--- a/SOURCES/YAML-LibYAML-0.903-regress-test-for-3args-open.patch
+++ b/SOURCES/YAML-LibYAML-0.903-regress-test-for-3args-open.patch
@ -1,76 +0,0 @@
 From d287c87f41d5b0438d94d8fad1f285d17530fc69 Mon Sep 17 00:00:00 2001
 From: Shlomi Fish <shlomif@shlomifish.org>
 Date: Fri, 7 Feb 2025 15:08:56 +0200
 Subject: [PATCH] regress test for GH#120. 3args open.
 ---
 Makefile.PL        |  4 ++++
 t/security-gh120.t | 28 ++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 t/security-gh120.t
 #diff --git a/Makefile.PL b/Makefile.PL
 #index 49a917d..371533a 100644
 #--- a/Makefile.PL
 #+++ b/Makefile.PL
 #@@ -26,10 +26,12 @@ my %WriteMakefileArgs = (
 #     "warnings" => 0
 #   },
 #   "TEST_REQUIRES" => {
 #+    "Cwd" => 0,
 #     "Devel::Peek" => 0,
 #     "Encode" => 0,
 #     "File::Find" => 0,
 #     "File::Path" => 0,
 #+    "File::Temp" => 0,
 #     "FindBin" => 0,
 #     "IO::File" => 0,
 #     "IO::Pipe" => 0,
 #@@ -50,11 +52,13 @@ my %WriteMakefileArgs = (
 # 
 # my %FallbackPrereqs = (
 #   "B::Deparse" => 0,
 #+  "Cwd" => 0,
 #   "Devel::Peek" => 0,
 #   "Encode" => 0,
 #   "Exporter" => 0,
 #   "File::Find" => 0,
 #   "File::Path" => 0,
 #+  "File::Temp" => 0,
 #   "FindBin" => 0,
 #   "IO::File" => 0,
 #   "IO::Pipe" => 0,
 diff --git a/t/security-gh120.t b/t/security-gh120.t
 new file mode 100644
 index 0000000..1102550
 --- /dev/null
 +++ b/t/security-gh120.t
@@ -0,0 +1,28 @@
 +use FindBin '$Bin';
 +use lib $Bin;
 +use TestYAMLTests tests => 1;
 +
 +# https://github.com/ingydotnet/yaml-libyaml-pm/issues/120
 +#
 +
 +use YAML::XS   qw/DumpFile LoadFile/;
 +use File::Temp qw/ tempdir /;
 +
 +use Cwd qw/ getcwd /;
 +
 +my $PWD = getcwd();
 +my $dir = tempdir( CLEANUP => 1 );
 +
 +chdir($dir);
 +
 +my $fn = "dont-clobber-me";
 +open my $fh, ">", ">$fn";
 +$fh->print( "$fn\n" x 500 );
 +close($fh);
 +
 +my $ret = LoadFile(">$fn");
 +
 +my $size = ( -s ">$fn" );
 +ok( scalar( $size > 2000 ), "file was not clobbered; size = '$size'" );
 +
 +chdir($PWD);
--- a/SPECS/perl-YAML-LibYAML.spec
+++ b/SPECS/perl-YAML-LibYAML.spec
@ -7,26 +7,27 @@
 Name:           perl-YAML-LibYAML
 Epoch:          1
-Version:        0.70
+Version:        0.82
-Release:        2%{?dist}
+Release:        6%{?dist}
 Summary:        Perl YAML Serialization using XS and libyaml
 License:        GPL+ or Artistic
 URL:            https://metacpan.org/release/YAML-LibYAML
-Source0:        https://cpan.metacpan.org/authors/id/T/TI/TINITA/YAML-LibYAML-%{version}.tar.gz
+Source0:        https://cpan.metacpan.org/modules/by-module/YAML/YAML-LibYAML-%{version}.tar.gz
-# Use 3-arg form of open in LoadFile (CVE-2025-40908)
+Patch0:         YAML-LibYAML-0.79-Unbundled-libyaml.patch
 Patch1:         YAML-LibYAML-0.903-Use-3-arg-form-of-open-in-LoadFile.patch
 Patch2:         YAML-LibYAML-0.903-regress-test-for-3args-open.patch
 # Build
 BuildRequires:  coreutils
 BuildRequires:  findutils
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  libyaml >= 0.2.4
 BuildRequires:  libyaml-devel >= 0.2.4
 BuildRequires:  perl-devel
 BuildRequires:  perl-generators
 BuildRequires:  perl-interpreter
 BuildRequires:  perl(Config)
 BuildRequires:  perl(ExtUtils::MakeMaker) >= 6.76
 BuildRequires:  sed
 # Module
 BuildRequires:  perl(B::Deparse)
@ -42,13 +43,11 @@ BuildRequires:  perl(XSLoader)
 BuildRequires:  perl(B)
 BuildRequires:  perl(blib)
 BuildRequires:  perl(Carp)
 BuildRequires:  perl(Cwd)
 BuildRequires:  perl(Data::Dumper)
 BuildRequires:  perl(Devel::Peek)
 BuildRequires:  perl(Encode)
 BuildRequires:  perl(File::Find)
 BuildRequires:  perl(File::Path)
 BuildRequires:  perl(File::Temp)
 BuildRequires:  perl(Filter::Util::Call)
 BuildRequires:  perl(FindBin)
 BuildRequires:  perl(IO::File)
@ -68,82 +67,38 @@ BuildRequires:  perl(Path::Class)
 # Dependencies
 Requires:       perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
 Requires:       perl(B::Deparse)
-
+Requires:       libyaml >= 0.2.4
 # libyaml is tweaked and bundled
 # https://github.com/ingydotnet/yaml-libyaml-pm/issues/49
 # version number determined by comparing commits in upstream repo:
 # https://bitbucket.org/xi/libyaml/commits/branch/default
 Provides:       bundled(libyaml) = 0.1.7
 # Avoid provides for perl shared objects
 %{?perl_default_filter}
 # Filter modules bundled for tests
 %global __provides_exclude_from %{?__provides_exclude_from:%__provides_exclude_from|}^%{_libexecdir}
 %global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\(Spiffy\\)
 %global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\(TestYAML.*\\)
 %global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\(Test::Base.*\\)
 %description
 Kirill Siminov's "libyaml" is arguably the best YAML implementation. The C
 library is written precisely to the YAML 1.1 specification. It was originally
 bound to Python and was later bound to Ruby.
 %package tests
 Summary:        Tests for %{name}
 Requires:       %{name} = %{?epoch:%{epoch}:}%{version}-%{release}
 Requires:       perl-Test-Harness
 Requires:       perl(Filter::Util::Call)
 %description tests
 Tests from %{name}. Execute them
 with "%{_libexecdir}/%{name}/test".
 %prep
 %setup -q -n YAML-LibYAML-%{version}
-%patch -P1 -p1
+# Unbundled libyaml, the source files are the same as in libyaml-0.2.4
-%patch -P2 -p1
+# It was determined by comparing commits in upstream repo:
-
+# https://github.com/yaml/libyaml/
-# Help generators to recognize Perl scripts
+%patch0 -p1 -b .orig
-for F in t/*.t; do
+for file in api.c dumper.c emitter.c loader.c parser.c reader.c scanner.c \
-    perl -i -MConfig -ple 'print $Config{startperl} if $. == 1 && !s{\A#!.*perl\b}{$Config{startperl}}' "$F"
+    writer.c yaml.h yaml_private.h; do
-    chmod +x "$F"
+    rm LibYAML/$file
    sed -i -e "/^LibYAML\/$file/d" MANIFEST
 done
 %build
-perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1
+perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" NO_PACKLIST=1 NO_PERLLOCAL=1
-make %{?_smp_mflags}
+%{make_build}
 %install
-make pure_install DESTDIR=%{buildroot}
+%{make_install}
 find %{buildroot} -type f -name '*.bs' -empty -delete
 %{_fixperms} -c %{buildroot}
 # Install tests
 mkdir -p %{buildroot}%{_libexecdir}/%{name}
 cp -a t inc %{buildroot}%{_libexecdir}/%{name}
 # It needs libraries in lib/ not in system directories
 rm %{buildroot}%{_libexecdir}/%{name}/t/000-require-modules.t
 # Remove author test
 rm %{buildroot}%{_libexecdir}/%{name}/t/author-pod-syntax.t
 # Don't use blib
 perl -i -pe 's{^use blib;}{#use blib;}' %{buildroot}%{_libexecdir}/%{name}/t/TestYAML.pm
 perl -i -pe 's{^use_blib: 1}{use_blib: 0}' %{buildroot}%{_libexecdir}/%{name}/t/yaml_tests.yaml
 cat > %{buildroot}%{_libexecdir}/%{name}/test << 'EOF'
 #!/bin/bash
 set -e
 # Some tests write into temporary files/directories. The solution is to
 # copy the tests into a writable directory and execute them from there.
 DIR=$(mktemp -d)
 pushd "$DIR"
 cp -a %{_libexecdir}/%{name}/* ./
 prove -I . -I inc -j "$(getconf _NPROCESSORS_ONLN)"
 popd
 rm -rf "$DIR"
 EOF
 chmod +x %{buildroot}%{_libexecdir}/%{name}/test
 %check
 export HARNESS_OPTIONS=j$(perl -e 'if ($ARGV[0] =~ /.*-j([0-9][0-9]*).*/) {print $1} else {print 1}' -- '%{?_smp_mflags}')
 make test
 %files
@ -155,12 +110,93 @@ make test
 %{_mandir}/man3/YAML::XS.3*
 %{_mandir}/man3/YAML::XS::LibYAML.3*
 %files tests
 %{_libexecdir}/%{name}
 %changelog
-* Thu Jun 05 2025 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.70-2
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.82-6
- Use 3-arg form of open in LoadFile (CVE-2025-40908)
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:0.82-5
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.82-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.82-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.82-2
 - Perl 5.32 rebuild
 * Sun May  3 2020 Paul Howarth <paul@city-fan.org> - 1:0.82-1
 - Update to 0.82
  - Updated libyaml sources to 0.2.4; changes affecting YAML::XS are:
    - Output '...' at the stream end after a block scalar with trailing empty
      lines
    - Accept '%%YAML 1.2' directives (they are ignored and do not change
      behaviour though)
 * Tue Jan 28 2020 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.81-1
 - Update to 0.81
  - Breaking Change: Set $YAML::XS::LoadBlessed default to false to make it
    more secure
 * Thu Aug 22 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.80-1
 - Update to 0.80
  - Fix memory leak when loading invalid YAML
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.79-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Wed Jun 12 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.79-1
 - Update to 0.79
  - Support aliasing scalars resolved as null or booleans
  - Add YAML::XS::LibYAML::libyaml_version()
  - Support standard !!int/!!float tags instead of dying
 - Unbundled libyaml, it is identical with upstream 0.2.2
 * Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.78-2
 - Perl 5.30 rebuild
 * Sun May 19 2019 Paul Howarth <paul@city-fan.org> - 1:0.78-1
 - Update to 0.78
  - Fix double free/core dump when Dump()ing binary data (GH#91)
  - Update config.h from libyaml
 - Modernize spec using %%{make_build} and %%{make_install}
 * Tue Apr 16 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.77-1
 - Update to 0.77
 - Update libyaml to version 0.2.2 - Most important change for users is that
   plain urls in flow style can be parsed now
 * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.76-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Wed Jan 02 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.76-1
 - Update to 0.76
  - Add $Indent - number of spaces when dumping
  - Fix typo and links in docs
 * Sat Nov  3 2018 Paul Howarth <paul@city-fan.org> - 1:0.75-1
 - Update to 0.75
  - Implement $LoadCode
 * Mon Sep  3 2018 Paul Howarth <paul@city-fan.org> - 1:0.74-1
 - Update to 0.74
  - Fix tests on older perls
  - Support back to perl 5.8.1
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.72-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Mon Jul 09 2018 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.72-1
 - Update to 0.72
  - Update to libyaml 0.2.1 - It's forbidden now to escape single
    quotes inside double quotes
  - When disabling $LoadBlessed, return scalars not refs
  - Save anchors also for blessed scalars
 * Thu Jun 28 2018 Jitka Plesnikova <jplesnik@redhat.com> - 1:0.70-2
 - Perl 5.28 rebuild
 * Sun Jun 10 2018 Paul Howarth <paul@city-fan.org> - 1:0.70-1
 - Update to 0.70
`@ -1 +1 @@`
	`SOURCES/YAML-LibYAML-0.70.tar.gz`	`SOURCES/YAML-LibYAML-0.82.tar.gz`
`@ -1 +1 @@`
	`6b3211de4382b43a06a6941ec8321c2fbefa03bf SOURCES/YAML-LibYAML-0.70.tar.gz`	`92ba858a2594e7e18472cc03e91b12dc921810a9 SOURCES/YAML-LibYAML-0.82.tar.gz`