From ae5aa7ac328de6f35ad1bc5a7416a26f2d3f1547 Mon Sep 17 00:00:00 2001
From: jvdias <jvdias@fedoraproject.org>
Date: Fri, 9 Dec 2005 20:02:31 +0000
Subject: [PATCH] - Apply upstream patches 26283 and 26284 : complete, revised
 fixes for     CVE-2005-3962 and CVE-2005-3912 and "Sys::Syslog security    
 vulnerabilities" issues. - Fix bug 136009 / MakeMaker LD_RUN_PATH issue:
 restore previous default     Red Hat behavior of removing the MakeMaker
 generated LD_RUN_PATH     setting from the link command . Document this
 removal, as it     contravenes upstream default behavior, and provide a
 USE_MM_LD_RUN_PATH     MakeMaker member to enable use of the MakeMaker
 generated LD_RUN_PATH .

---
 perl-5.8.7-CVE-2005-3962-bz174684.patch | 386 +++++++++++++++++++++++-
 perl-5.8.7-USE_MM_LD_RUN_PATH.patch     | 115 +++++++
 perl.spec                               |  17 +-
 3 files changed, 510 insertions(+), 8 deletions(-)
 create mode 100644 perl-5.8.7-USE_MM_LD_RUN_PATH.patch

diff --git a/perl-5.8.7-CVE-2005-3962-bz174684.patch b/perl-5.8.7-CVE-2005-3962-bz174684.patch
index ade577b..70e8ee1 100644
--- a/perl-5.8.7-CVE-2005-3962-bz174684.patch
+++ b/perl-5.8.7-CVE-2005-3962-bz174684.patch
@@ -1,18 +1,54 @@
+--- perl-5.8.7/t/lib/warnings/sv.CVE-2005-3962-bz174684	2004-03-18 07:51:14.000000000 -0500
++++ perl-5.8.7/t/lib/warnings/sv	2005-12-09 13:57:57.000000000 -0500
+@@ -301,12 +301,12 @@
+ printf F "%\x02" ;
+ $a = sprintf "%\x02" ;
+ EXPECT
+-Invalid conversion in sprintf: "%z" at - line 5.
+-Invalid conversion in sprintf: end of string at - line 7.
+-Invalid conversion in sprintf: "%\002" at - line 9.
+ Invalid conversion in printf: "%z" at - line 4.
++Invalid conversion in sprintf: "%z" at - line 5.
+ Invalid conversion in printf: end of string at - line 6.
++Invalid conversion in sprintf: end of string at - line 7.
+ Invalid conversion in printf: "%\002" at - line 8.
++Invalid conversion in sprintf: "%\002" at - line 9.
+ ########
+ # sv.c
+ use warnings 'misc' ;
+--- perl-5.8.7/t/op/sprintf.t.CVE-2005-3962-bz174684	2003-09-01 03:41:07.000000000 -0400
++++ perl-5.8.7/t/op/sprintf.t	2005-12-09 13:57:57.000000000 -0500
+@@ -385,3 +385,6 @@
+ >%4$K %d<	>[45, 67]<	>%4$K 45 INVALID<
+ >%d %K %d<	>[23, 45]<	>23 %K 45 INVALID<
+ >%*v*999\$d %d %d<	>[11, 22, 33]<	>%*v*999\$d 11 22 INVALID<
++>%#b<		>0<	>0<
++>%#o<		>0<	>0<
++>%#x<		>0<	>0<
 --- perl-5.8.7/t/op/sprintf2.t.CVE-2005-3962-bz174684	2004-02-09 16:37:13.000000000 -0500
-+++ perl-5.8.7/t/op/sprintf2.t	2005-12-01 13:11:34.000000000 -0500
++++ perl-5.8.7/t/op/sprintf2.t	2005-12-09 13:57:57.000000000 -0500
 @@ -6,7 +6,7 @@
      require './test.pl';
  }   
  
 -plan tests => 3;
-+plan tests => 6;
++plan tests => 7;
  
  is(
      sprintf("%.40g ",0.01),
-@@ -26,3 +26,20 @@
+@@ -26,3 +26,29 @@
  		q(width calculation under utf8 upgrade)
  	);
  }
++
++# Used to mangle PL_sv_undef
++fresh_perl_is(
++    'print sprintf "xxx%n\n"; print undef',
++    'Modification of a read-only value attempted at - line 1.',
++    { switches => [ '-w' ] },
++    q(%n should not be able to modify read-only constants),
++);
++
 +# check %NNN$ for range bounds, especially negative 2's complement
 +{
 +    my ($warn, $bad) = (0,0);
@@ -30,9 +66,312 @@
 +    is($warn, 36, "expected warnings");
 +    is($bad,   0, "unexpected warnings");
 +}
+--- perl-5.8.7/opcode.h.CVE-2005-3962-bz174684	2005-05-27 12:29:50.000000000 -0400
++++ perl-5.8.7/opcode.h	2005-12-09 13:57:57.000000000 -0500
+@@ -1585,7 +1585,7 @@
+ 	0x0022281c,	/* vec */
+ 	0x0122291c,	/* index */
+ 	0x0122291c,	/* rindex */
+-	0x0004280f,	/* sprintf */
++	0x0004280d,	/* sprintf - WAS 0x0004280f before patch #26283 */
+ 	0x00042805,	/* formline */
+ 	0x0001379e,	/* ord */
+ 	0x0001378e,	/* chr */
+--- perl-5.8.7/op.c.CVE-2005-3962-bz174684	2005-04-22 10:12:32.000000000 -0400
++++ perl-5.8.7/op.c	2005-12-09 13:57:57.000000000 -0500
+@@ -2076,7 +2076,9 @@
+ 	/* XXX might want a ck_negate() for this */
+ 	cUNOPo->op_first->op_private &= ~OPpCONST_STRICT;
+ 	break;
+-    case OP_SPRINTF:
++/* Removed as part of fix for CVE-2005-3962 / Upstream patch 26283 : 
++ *   case OP_SPRINTF:
++ */
+     case OP_UCFIRST:
+     case OP_LCFIRST:
+     case OP_UC:
+--- perl-5.8.7/makedef.pl.CVE-2005-3962-bz174684	2005-05-09 09:27:41.000000000 -0400
++++ perl-5.8.7/makedef.pl	2005-12-09 13:57:57.000000000 -0500
+@@ -635,11 +635,13 @@
+ 		    )];
+ }
+ 
+-if ($define{'PERL_MALLOC_WRAP'}) {
+-    emit_symbols [qw(
+-		    PL_memory_wrap
+-		    )];
+-}
++# Removed as part of fix for CVE-2005-3962 / CVE-2005-3962 /
++# Upstream patch #26283
++# if ($define{'PERL_MALLOC_WRAP'}) {
++#    emit_symbols [qw(
++#		    PL_memory_wrap
++#		    )];
++#}
+ 
+ unless ($define{'USE_5005THREADS'} || $define{'USE_ITHREADS'}) {
+     skip_symbols [qw(
+--- perl-5.8.7/ext/Sys/Syslog/Syslog.pm.CVE-2005-3962-bz174684	2005-04-22 07:53:56.000000000 -0400
++++ perl-5.8.7/ext/Sys/Syslog/Syslog.pm	2005-12-09 13:57:57.000000000 -0500
+@@ -1,14 +1,13 @@
+ package Sys::Syslog;
+ require 5.006;
+ require Exporter;
+-require DynaLoader;
+ use Carp;
+ use strict;
+ 
+-our @ISA = qw(Exporter DynaLoader);
++our @ISA = qw(Exporter);
+ our @EXPORT = qw(openlog closelog setlogmask syslog);
+ our @EXPORT_OK = qw(setlogsock);
+-our $VERSION = '0.06';
++our $VERSION = '0.08';
+ 
+ # it would be nice to try stream/unix first, since that will be
+ # most efficient. However streams are dodgy - see _syslog_send_stream
+@@ -54,26 +53,38 @@
+ 
+ =item openlog $ident, $logopt, $facility
+ 
++Opens the syslog.
+ I<$ident> is prepended to every message.  I<$logopt> contains zero or
+ more of the words I<pid>, I<ndelay>, I<nowait>.  The cons option is
+ ignored, since the failover mechanism will drop down to the console
+ automatically if all other media fail.  I<$facility> specifies the
+ part of the system to report about, for example LOG_USER or LOG_LOCAL0:
+ see your C<syslog(3)> documentation for the facilities available in
+-your system.
++your system. This function will croak if it can't connect to the syslog
++daemon.
+ 
+ B<You should use openlog() before calling syslog().>
+ 
++=item syslog $priority, $message
++
+ =item syslog $priority, $format, @args
+ 
+-If I<$priority> permits, logs I<($format, @args)>
+-printed as by C<printf(3V)>, with the addition that I<%m>
+-is replaced with C<"$!"> (the latest error message).
++If I<$priority> permits, logs I<$message> or I<sprintf($format, @args)>
++with the addition that I<%m> in $message or $format is replaced with
++C<"$!"> (the latest error message).
+ 
+ If you didn't use openlog() before using syslog(), syslog will try to
+ guess the I<$ident> by extracting the shortest prefix of I<$format>
+ that ends in a ":".
+ 
++Note that Sys::Syslog version v0.07 and older passed the $message as
++the formatting string to sprintf() even when no formatting arguments
++were provided.  If the code calling syslog() might execute with older
++versions of this module, make sure to call the function as
++syslog($priority, "%s", $message) instead of syslog($priority,
++$message).  This protects against hostile formatting sequences that
++might show up if $message contains tainted data.
++
+ =item setlogmask $mask_priority
+ 
+ Sets log mask I<$mask_priority> and returns the old mask.
+@@ -175,7 +186,8 @@
+     goto &$AUTOLOAD;
+ }
+ 
+-bootstrap Sys::Syslog $VERSION;
++require XSLoader;
++XSLoader::load('Sys::Syslog', $VERSION);
+ 
+ our $maskpri = &LOG_UPTO(&LOG_DEBUG);
+ 
+@@ -316,9 +328,16 @@
+ 
+     $whoami .= "[$$]" if our $lo_pid;
+ 
+-    $mask =~ s/(?<!%)%m/$!/g;
++    if ($mask =~ /%m/) {
++	my $err = $!;
++	# escape percent signs if sprintf will be called
++	$err =~ s/%/%%/g if @_;
++	# replace %m with $err, if preceded by an even number of percent signs
++	$mask =~ s/(?<!%)((?:%%)*)%m/$1$err/g;
++    }
++
+     $mask .= "\n" unless $mask =~ /\n$/;
+-    $message = sprintf ($mask, @_);
++    $message = @_ ? sprintf($mask, @_) : $mask;
+ 
+     $sum = $numpri + $numfac;
+     my $buf = "<$sum>$whoami: $message\0";
+--- perl-5.8.7/opcode.pl.CVE-2005-3962-bz174684	2004-12-01 08:54:30.000000000 -0500
++++ perl-5.8.7/opcode.pl	2005-12-09 13:57:57.000000000 -0500
+@@ -606,7 +606,7 @@
+ index		index			ck_index	isT@	S S S?
+ rindex		rindex			ck_index	isT@	S S S?
+ 
+-sprintf		sprintf			ck_fun		mfst@	S L
++sprintf		sprintf			ck_fun		mst@	S L
+ formline	formline		ck_fun		ms@	S L
+ ord		ord			ck_fun		ifsTu%	S?
+ chr		chr			ck_fun		fsTu%	S?
+--- perl-5.8.7/handy.h.CVE-2005-3962-bz174684	2005-04-20 12:33:28.000000000 -0400
++++ perl-5.8.7/handy.h	2005-12-09 13:57:57.000000000 -0500
+@@ -598,91 +598,65 @@
+ 
+ =cut */
+ 
+-#ifndef lint
+-
+ #define NEWSV(x,len)	newSV(len)
+ 
+ #ifdef PERL_MALLOC_WRAP
+ #define MEM_WRAP_CHECK(n,t) \
+-	(void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0)
++	(void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0)
+ #define MEM_WRAP_CHECK_1(n,t,a) \
+-	(void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0)
++	(void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0)
+ #define MEM_WRAP_CHECK_2(n,t,a,b) \
+-	(void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0)
++	(void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0)
++#define MEM_WRAP_CHECK_(n,t) MEM_WRAP_CHECK(n,t),
+ 
+-#define New(x,v,n,t)	(v = (MEM_WRAP_CHECK(n,t), (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
+-#define Newc(x,v,n,t,c)	(v = (MEM_WRAP_CHECK(n,t), (c*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
+-#define Newz(x,v,n,t)	(v = (MEM_WRAP_CHECK(n,t), (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))), \
+-			memzero((char*)(v), (n)*sizeof(t))
+-#define Renew(v,n,t) \
+-	  (v = (MEM_WRAP_CHECK(n,t), (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
+-#define Renewc(v,n,t,c) \
+-	  (v = (MEM_WRAP_CHECK(n,t), (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
+-#define Safefree(d)	safefree((Malloc_t)(d))
+-
+-#define Move(s,d,n,t)	(MEM_WRAP_CHECK(n,t), (void)memmove((char*)(d),(char*)(s), (n) * sizeof(t)))
+-#define Copy(s,d,n,t)	(MEM_WRAP_CHECK(n,t), (void)memcpy((char*)(d),(char*)(s), (n) * sizeof(t)))
+-#define Zero(d,n,t)	(MEM_WRAP_CHECK(n,t), (void)memzero((char*)(d), (n) * sizeof(t)))
+-
+-#define MoveD(s,d,n,t)	(MEM_WRAP_CHECK(n,t), memmove((char*)(d),(char*)(s), (n) * sizeof(t)))
+-#define CopyD(s,d,n,t)	(MEM_WRAP_CHECK(n,t), memcpy((char*)(d),(char*)(s), (n) * sizeof(t)))
+-#ifdef HAS_MEMSET
+-#define ZeroD(d,n,t)	(MEM_WRAP_CHECK(n,t), memzero((char*)(d), (n) * sizeof(t)))
+-#else
+-/* Using bzero(), which returns void.  */
+-#define ZeroD(d,n,t)	(MEM_WRAP_CHECK(n,t), memzero((char*)(d), (n) * sizeof(t)),d)
+-#endif
+-
+-#define Poison(d,n,t)	(MEM_WRAP_CHECK(n,t), (void)memset((char*)(d), 0xAB, (n) * sizeof(t)))
++#define PERL_STRLEN_ROUNDUP(n) ((void)(((n) > (MEM_SIZE)~0 - 2 * PERL_STRLEN_ROUNDUP_QUANTUM) ? (Perl_croak_nocontext(PL_memory_wrap),0):0),((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1)))
+ 
+ #else
+ 
+ #define MEM_WRAP_CHECK(n,t)
+ #define MEM_WRAP_CHECK_1(n,t,a)
+ #define MEM_WRAP_CHECK_2(n,t,a,b)
++#define MEM_WRAP_CHECK_(n,t)
++
++#define PERL_STRLEN_ROUNDUP(n) (((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1)))
+ 
+-#define New(x,v,n,t)	(v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))
+-#define Newc(x,v,n,t,c)	(v = (c*)safemalloc((MEM_SIZE)((n)*sizeof(t))))
+-#define Newz(x,v,n,t)	(v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))), \
++#endif
++
++#define Newx(v,n,t)	(v = (MEM_WRAP_CHECK_(n,t) (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
++#define Newxc(v,n,t,c)	(v = (MEM_WRAP_CHECK_(n,t) (c*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
++#define Newxz(v,n,t)	(v = (MEM_WRAP_CHECK_(n,t) (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))), \
+ 			memzero((char*)(v), (n)*sizeof(t))
++/* pre 5.9.x compatibility */
++#define New(x,v,n,t)	Newx(v,n,t)
++#define Newc(x,v,n,t,c)	Newxc(v,n,t,c)
++#define Newz(x,v,n,t)	Newxz(v,n,t)
++
+ #define Renew(v,n,t) \
+-	  (v = (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))
++	  (v = (MEM_WRAP_CHECK_(n,t) (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
+ #define Renewc(v,n,t,c) \
+-	  (v = (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))
+-#define Safefree(d)	safefree((Malloc_t)(d))
+-
+-#define Move(s,d,n,t)	(void)memmove((char*)(d),(char*)(s), (n) * sizeof(t))
+-#define Copy(s,d,n,t)	(void)memcpy((char*)(d),(char*)(s), (n) * sizeof(t))
+-#define Zero(d,n,t)	(void)memzero((char*)(d), (n) * sizeof(t))
++	  (v = (MEM_WRAP_CHECK_(n,t) (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
+ 
+-#define MoveD(s,d,n,t)	memmove((char*)(d),(char*)(s), (n) * sizeof(t))
+-#define CopyD(s,d,n,t)	memcpy((char*)(d),(char*)(s), (n) * sizeof(t))
+-#ifdef HAS_MEMSET
+-#define ZeroD(d,n,t)	memzero((char*)(d), (n) * sizeof(t))
++#ifdef PERL_POISON
++#define Safefree(d) \
++  (d ? (void)(safefree((Malloc_t)(d)), Poison(&(d), 1, Malloc_t)) : (void) 0)
+ #else
+-#define ZeroD(d,n,t)	((void)memzero((char*)(d), (n) * sizeof(t)),d)
++#define Safefree(d)	safefree((Malloc_t)(d))
+ #endif
+ 
+-#define Poison(d,n,t)	(void)memset((char*)(d), 0xAB, (n) * sizeof(t))
++#define Move(s,d,n,t)	(MEM_WRAP_CHECK_(n,t) (void)memmove((char*)(d),(const char*)(s), (n) * sizeof(t)))
++#define Copy(s,d,n,t)	(MEM_WRAP_CHECK_(n,t) (void)memcpy((char*)(d),(const char*)(s), (n) * sizeof(t)))
++#define Zero(d,n,t)	(MEM_WRAP_CHECK_(n,t) (void)memzero((char*)(d), (n) * sizeof(t)))
+ 
++#define MoveD(s,d,n,t)	(MEM_WRAP_CHECK_(n,t) memmove((char*)(d),(const char*)(s), (n) * sizeof(t)))
++#define CopyD(s,d,n,t)	(MEM_WRAP_CHECK_(n,t) memcpy((char*)(d),(const char*)(s), (n) * sizeof(t)))
++#ifdef HAS_MEMSET
++#define ZeroD(d,n,t)	(MEM_WRAP_CHECK_(n,t) memzero((char*)(d), (n) * sizeof(t)))
++#else
++/* Using bzero(), which returns void.  */
++#define ZeroD(d,n,t)	(MEM_WRAP_CHECK_(n,t) memzero((char*)(d), (n) * sizeof(t)),d)
+ #endif
+ 
+-#else /* lint */
+-
+-#define New(x,v,n,s)	(v = Null(s *))
+-#define Newc(x,v,n,s,c)	(v = Null(s *))
+-#define Newz(x,v,n,s)	(v = Null(s *))
+-#define Renew(v,n,s)	(v = Null(s *))
+-#define Move(s,d,n,t)
+-#define Copy(s,d,n,t)
+-#define Zero(d,n,t)
+-#define MoveD(s,d,n,t)	d
+-#define CopyD(s,d,n,t)	d
+-#define ZeroD(d,n,t)	d
+-#define Poison(d,n,t)
+-#define Safefree(d)	(d) = (d)
+-
+-#endif /* lint */
++#define Poison(d,n,t)	(MEM_WRAP_CHECK_(n,t) (void)memset((char*)(d), 0xAB, (n) * sizeof(t)))
+ 
+ #ifdef USE_STRUCT_COPY
+ #define StructCopy(s,d,t) (*((t*)(d)) = *((t*)(s)))
+--- perl-5.8.7/perl.h.CVE-2005-3962-bz174684	2005-12-09 13:57:57.000000000 -0500
++++ perl-5.8.7/perl.h	2005-12-09 13:57:57.000000000 -0500
+@@ -720,6 +720,13 @@
+ 
+ #define MEM_SIZE Size_t
+ 
++/* Round all values passed to malloc up, by default to a multiple of
++   sizeof(size_t)
++*/
++#ifndef PERL_STRLEN_ROUNDUP_QUANTUM
++#define PERL_STRLEN_ROUNDUP_QUANTUM Size_t_size
++#endif
++
+ #if defined(STANDARD_C) && defined(I_STDDEF)
+ #   include <stddef.h>
+ #   define STRUCT_OFFSET(s,m)  offsetof(s,m)
+@@ -3332,10 +3339,8 @@
+   INIT("\"my\" variable %s can't be in a package");
+ EXTCONST char PL_no_localize_ref[]
+   INIT("Can't localize through a reference");
+-#ifdef PERL_MALLOC_WRAP
+ EXTCONST char PL_memory_wrap[]
+   INIT("panic: memory wrap");
+-#endif
+ 
+ EXTCONST char PL_uuemap[65]
+   INIT("`!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_");
 --- perl-5.8.7/sv.c.CVE-2005-3962-bz174684	2005-05-27 06:38:11.000000000 -0400
-+++ perl-5.8.7/sv.c	2005-12-01 13:11:14.000000000 -0500
-@@ -8707,9 +8707,10 @@
++++ perl-5.8.7/sv.c	2005-12-09 13:58:10.000000000 -0500
+@@ -8707,9 +8707,15 @@
  
  	if (vectorize)
  	    argsv = vecsv;
@@ -40,9 +379,42 @@
 -	    argsv = (efix ? efix <= svmax : svix < svmax) ?
 -		    svargs[efix ? efix-1 : svix++] : &PL_sv_undef;
 +	else if (!args) {
-+	    I32 i = efix ? efix-1 : svix++;
-+	    argsv = (i >= 0 && i < svmax) ? svargs[i] : &PL_sv_undef;
++	    if (efix) {
++		const I32 i = efix-1;
++		argsv = (i >= 0 && i < svmax) ? svargs[i] : &PL_sv_undef;
++	    } else {
++		argsv = (svix >= 0 && svix < svmax)
++		    ? svargs[svix++] : &PL_sv_undef;
++	    }
 +	}
  
  	switch (c = *q++) {
  
+@@ -8972,6 +8978,8 @@
+ 		    *--eptr = '0';
+ 		break;
+ 	    case 2:
++		if (!uv)
++		    alt = FALSE;
+ 		do {
+ 		    dig = uv & 1;
+ 		    *--eptr = '0' + dig;
+@@ -9274,6 +9282,8 @@
+ 
+ 	/* calculate width before utf8_upgrade changes it */
+ 	have = esignlen + zeros + elen;
++	if (have < zeros)
++	    Perl_croak_nocontext(PL_memory_wrap);
+ 
+ 	if (is_utf8 != has_utf8) {
+ 	     if (is_utf8) {
+@@ -9301,6 +9311,9 @@
+ 	need = (have > width ? have : width);
+ 	gap = need - have;
+ 
++	if (need >= (((STRLEN)~0) - SvCUR(sv) - dotstrlen - 1))
++	    Perl_croak_nocontext(PL_memory_wrap);
++
+ 	SvGROW(sv, SvCUR(sv) + need + dotstrlen + 1);
+ 	p = SvEND(sv);
+ 	if (esignlen && fill == '0') {
diff --git a/perl-5.8.7-USE_MM_LD_RUN_PATH.patch b/perl-5.8.7-USE_MM_LD_RUN_PATH.patch
new file mode 100644
index 0000000..9a434ac
--- /dev/null
+++ b/perl-5.8.7-USE_MM_LD_RUN_PATH.patch
@@ -0,0 +1,115 @@
+--- perl-5.8.7/lib/ExtUtils/MakeMaker.pm.USE_MM_LD_RUN_PATH	2005-12-08 15:10:24.000000000 -0500
++++ perl-5.8.7/lib/ExtUtils/MakeMaker.pm	2005-12-08 19:36:26.000000000 -0500
+@@ -226,7 +226,7 @@
+     PERL_SRC PERM_RW PERM_RWX
+     PL_FILES PM PM_FILTER PMLIBDIRS POLLUTE PPM_INSTALL_EXEC
+     PPM_INSTALL_SCRIPT PREREQ_FATAL PREREQ_PM PREREQ_PRINT PRINT_PREREQ
+-    SKIP TYPEMAPS VERSION VERSION_FROM XS XSOPT XSPROTOARG
++    SKIP TYPEMAPS USE_MM_LD_RUN_PATH VERSION VERSION_FROM XS XSOPT XSPROTOARG
+     XS_VERSION clean depend dist dynamic_lib linkext macro realclean
+     tool_autosplit
+ 
+@@ -362,7 +362,27 @@
+         print join(" ", map { "perl($_)>=$self->{PREREQ_PM}->{$_} " } 
+                         sort keys %{$self->{PREREQ_PM}}), "\n";
+         exit 0;
+-   }
++    }
++   
++    # USE_MM_LD_RUN_PATH - another RedHatism to disable automatic RPATH generation
++    if ( ( ! $self->{USE_MM_LD_RUN_PATH} )
++       &&( ("@ARGV" =~ /\bUSE_MM_LD_RUN_PATH(=([01]))?\b/)
++	 ||( exists( $ENV{USE_MM_LD_RUN_PATH} ) 
++           &&( $ENV{USE_MM_LD_RUN_PATH} =~ /([01])?$/ )
++	    )
++	 )
++       )
++    {
++	my $v = $1;
++	if( $v )
++	{
++	    $v = ($v=~/=([01])$/)[0];
++	}else
++	{
++	    $v = 1;
++	};
++	$self->{USE_MM_LD_RUN_PATH}=$v;
++    }
+ 
+     print STDOUT "MakeMaker (v$VERSION)\n" if $Verbose;
+     if (-f "MANIFEST" && ! -f "Makefile"){
+@@ -2007,6 +2027,40 @@
+ precedence, even if it isn't listed in TYPEMAPS.  The default system
+ typemap has lowest precedence.
+ 
++=item USE_MM_LD_RUN_PATH
++
++boolean
++The Red Hat perl MakeMaker distribution differs from the standard 
++upstream release in that it disables use of the MakeMaker generated
++LD_RUN_PATH by default, UNLESS this attribute is specified , or the
++USE_MM_LD_RUN_PATH environment variable is set during the MakeMaker run.
++
++The upstream MakeMaker will set the ld(1) environment variable LD_RUN_PATH 
++to the concatenation of every -L ld(1) option directory in which a -l ld(1)
++option library is found, which is used as the ld(1) -rpath option if none 
++is specified. This means that, if your application builds shared libraries 
++and your MakeMaker application links to them, that the absolute paths of the
++libraries in the build tree will be inserted into the RPATH header of all 
++MakeMaker generated binaries, and that such binaries will be unable to link 
++to these libraries if they do not still reside in the build tree directories 
++(unlikely) or in the system library directories (/lib or /usr/lib), regardless 
++of any LD_LIBRARY_PATH setting. So if you specified -L../mylib -lmylib , and
++ your 'libmylib.so' gets installed into /some_directory_other_than_usr_lib,
++ your MakeMaker application will be unable to link to it, even if LD_LIBRARY_PATH 
++is set to include /some_directory_other_than_usr_lib, because RPATH overrides
++LD_LIBRARY_PATH.
++
++So for Red Hat MakeMaker builds LD_RUN_PATH is NOT generated by default for
++every link. You can still use explicit -rpath ld options or the LD_RUN_PATH
++environment variable during the build to generate an RPATH for the binaries.
++ 
++You can set the USE_MM_LD_RUN_PATH attribute to 1 on the MakeMaker command
++line or in the WriteMakefile arguments to enable generation of LD_RUN_PATH
++for every link command. 
++
++USE_MM_LD_RUN_PATH will default to 1 (LD_RUN_PATH will be used) IF the 
++$USE_MM_LD_RUN_PATH environment variable is set during a MakeMaker run. 
++
+ =item VENDORPREFIX
+ 
+ Like PERLPREFIX, but only for the vendor install locations.
+--- perl-5.8.7/lib/ExtUtils/MM_Unix.pm.USE_MM_LD_RUN_PATH	2005-12-08 15:10:24.000000000 -0500
++++ perl-5.8.7/lib/ExtUtils/MM_Unix.pm	2005-12-08 18:35:13.000000000 -0500
+@@ -1142,7 +1142,7 @@
+     }
+ 
+     my $ld_run_path_shell = "";
+-    if ($self->{LD_RUN_PATH} ne "") {
++    if (($self->{LD_RUN_PATH} ne "") && ($self->{USE_MM_LD_RUN_PATH})) {
+ 	$ld_run_path_shell = 'LD_RUN_PATH="$(LD_RUN_PATH)" ';
+     }
+     push(@m,
+--- perl-5.8.7/lib/ExtUtils/Liblist.pm.USE_MM_LD_RUN_PATH	2003-04-07 14:58:17.000000000 -0400
++++ perl-5.8.7/lib/ExtUtils/Liblist.pm	2005-12-08 19:39:28.000000000 -0500
+@@ -51,6 +51,8 @@
+ specifics below.  The list of the filenames is returned only if
+ $need_names argument is true.
+ 
++NOTE: if the LD_RUN_PATH me
++
+ Dependent libraries can be linked in one of three ways:
+ 
+ =over 2
+@@ -87,6 +89,11 @@
+ in LDLOADLIBS. It is passed as an environment variable to the process
+ that links the shared library.
+ 
++Red Hat extension: This generation of LD_RUN_PATH is disabled by default.
++To use the generated LD_RUN_PATH for all links, set the USE_MM_LD_RUN_PATH
++MakeMaker object attribute / argument, (or set the $USE_MM_LD_RUN_PATH
++environment variable). 
++
+ =head2 BSLOADLIBS
+ 
+ List of those libraries that are needed but can be linked in
diff --git a/perl.spec b/perl.spec
index 672468a..d972108 100644
--- a/perl.spec
+++ b/perl.spec
@@ -5,7 +5,7 @@
 %define multilib_64_archs x86_64 s390x ppc64 sparc64
 
 %define perlver 5.8.7
-%define perlrel 0.8.fc5
+%define perlrel 8
 %define perlepoch 3
 
 %{?!perl_debugging:    %define perl_debugging 0}
@@ -132,6 +132,8 @@ Patch136009:    perl-5.8.7-MM_Unix-rpath-136009.patch
 
 Patch174684:	perl-5.8.7-CVE-2005-3962-bz174684.patch
 
+Patch1360090:  	perl-5.8.7-USE_MM_LD_RUN_PATH.patch
+
 # module updatesd
 # Patch202:       perl-5.8.0-Safe2.09.patch
 
@@ -298,6 +300,8 @@ more secure running of setuid perl scripts.
 
 %patch174684 -p1
 
+%patch1360090 -p1
+
 # Candidates for doc recoding (need case by case review):
 # find . -name "*.pod" -o -name "README*" -o -name "*.pm" | xargs file -i | grep charset= | grep -v '\(us-ascii\|utf-8\)'
 recode()
@@ -507,6 +511,17 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Dec 08 2005 Jason Vas Dias <jvdias@redhat.com> - 3.5.8.7-8
+- Apply upstream patches 26283 and 26284 : complete, revised fixes
+  for CVE-2005-3962 and CVE-2005-3912 and 
+  "Sys::Syslog security vulnerabilities" issues.
+- Fix bug 136009 / MakeMaker LD_RUN_PATH issue: 
+  restore previous default Red Hat behavior of removing the MakeMaker
+  generated LD_RUN_PATH setting from the link command .
+  Document this removal, as it contravenes upstream default behavior, and 
+  provide a USE_MM_LD_RUN_PATH MakeMaker member to enable use of the 
+  MakeMaker generated LD_RUN_PATH .
+
 * Thu Dec 01 2005 Jason Vas Dias <jvdias@redhat.com> - 3:5.8.7-0.8
 - fix bug 174684 / CVE-2005-3962: sprintf integer overflow vulnerability
   backport upstream patch #26240