5.24.1 bump

2017-01-16 12:28:00 +01:00 · 2017-01-16 12:28:00 +01:00 · bd9339be54
commit bd9339be54
parent a5af0c2d4e
5 changed files with 12 additions and 4068 deletions
--- a/.gitignore
+++ b/.gitignore
@ -22,3 +22,4 @@ perl-5.12.1.tar.gz
 /perl-5.22.1.tar.bz2
 /perl-5.22.2.tar.bz2
 /perl-5.24.0.tar.bz2
+/perl-5.24.1.tar.bz2
--- a/perl-5.24.0-CVE-2016-1238-maint-5.24-dot-in-inc.patch
+++ b/perl-5.24.0-CVE-2016-1238-maint-5.24-dot-in-inc.patch
--- a/perl-5.25.2-Don-t-let-XSLoader-load-relative-paths.patch
+++ b/perl-5.25.2-Don-t-let-XSLoader-load-relative-paths.patch
@ -1,237 +0,0 @@
-From 08e3451d7b3b714ad63a27f1b9c2a23ee75d15ee Mon Sep 17 00:00:00 2001
-From: Father Chrysostomos <sprout@cpan.org>
-Date: Sat, 2 Jul 2016 22:56:51 -0700
-Subject: [PATCH 1/4] =?UTF-8?q?Don=E2=80=99t=20let=20XSLoader=20load=20rel?=
- =?UTF-8?q?ative=20paths?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[rt.cpan.org #115808]
-
-The logic in XSLoader for determining the library goes like this:
-
-    my $c = () = split(/::/,$caller,-1);
-    $modlibname =~ s,[\\/][^\\/]+$,, while $c--;    # Q&D basename
-    my $file = "$modlibname/auto/$modpname/$modfname.bundle";
-
-(That last line varies by platform.)
-
-$caller is the calling package.  $modlibname is the calling file.  It
-removes as many path segments from $modlibname as there are segments
-in $caller.  So if you have Foo/Bar/XS.pm calling XSLoader from the
-Foo::Bar package, the $modlibname will end up containing the path in
-@INC where XS.pm was found, followed by "/Foo".  Usually the fallback
-to Dynaloader::bootstrap_inherit, which does an @INC search, makes
-things Just Work.
-
-But if our hypothetical Foo/Bar/XS.pm actually calls
-XSLoader::load from inside a string eval, then path ends up being
-"(eval 1)/auto/Foo/Bar/Bar.bundle".
-
-So if someone creates a directory named ‘(eval 1)’ with a naughty
-binary file in it, it will be loaded if a script using Foo::Bar is run
-in the parent directory.
-
-This commit makes XSLoader fall back to Dynaloader’s @INC search if
-the calling file has a relative path that is not found in @INC.
---
- dist/XSLoader/XSLoader_pm.PL | 25 +++++++++++++++++++++++++
- dist/XSLoader/t/XSLoader.t   | 27 ++++++++++++++++++++++++++-
- 2 files changed, 51 insertions(+), 1 deletion(-)
-
-diff --git a/dist/XSLoader/XSLoader_pm.PL b/dist/XSLoader/XSLoader_pm.PL
-index 8a8852e..749f72d 100644
--- a/dist/XSLoader/XSLoader_pm.PL
-+++ b/dist/XSLoader/XSLoader_pm.PL
-@@ -91,6 +91,31 @@ print OUT <<'EOT';
-     my $modpname = join('/',@modparts);
-     my $c = () = split(/::/,$caller,-1);
-     $modlibname =~ s,[\\/][^\\/]+$,, while $c--;    # Q&D basename
-+    # Does this look like a relative path?
-+    if ($modlibname !~ m|^[\\/]|) {
-+        # Someone may have a #line directive that changes the file name, or
-+        # may be calling XSLoader::load from inside a string eval.  We cer-
-+        # tainly do not want to go loading some code that is not in @INC,
-+        # as it could be untrusted.
-+        #
-+        # We could just fall back to DynaLoader here, but then the rest of
-+        # this function would go untested in the perl core, since all @INC
-+        # paths are relative during testing.  That would be a time bomb
-+        # waiting to happen, since bugs could be introduced into the code.
-+        #
-+        # So look through @INC to see if $modlibname is in it.  A rela-
-+        # tive $modlibname is not a common occurrence, so this block is
-+        # not hot code.
-+        FOUND: {
-+            for (@INC) {
-+                if ($_ eq $modlibname) {
-+                    last FOUND;
-+                }
-+            }
-+            # Not found.  Fall back to DynaLoader.
-+            goto \&XSLoader::bootstrap_inherit;
-+        }
-+    }
- EOT
- 
- my $dl_dlext = quotemeta($Config::Config{'dlext'});
-diff --git a/dist/XSLoader/t/XSLoader.t b/dist/XSLoader/t/XSLoader.t
-index 2ff11fe..1e86faa 100644
--- a/dist/XSLoader/t/XSLoader.t
-+++ b/dist/XSLoader/t/XSLoader.t
-@@ -33,7 +33,7 @@ my %modules = (
-     'Time::HiRes'=> q| ::can_ok( 'Time::HiRes' => 'usleep'  ) |,  # 5.7.3
- );
- 
-plan tests => keys(%modules) * 3 + 9;
-+plan tests => keys(%modules) * 3 + 10;
- 
- # Try to load the module
- use_ok( 'XSLoader' );
-@@ -125,3 +125,28 @@ XSLoader::load("Devel::Peek");
- EOS
-     or ::diag $@;
- }
-+
-+SKIP: {
-+  skip "File::Path not available", 1
-+    unless eval { require File::Path };
-+  my $name = "phooo$$";
-+  File::Path::make_path("$name/auto/Foo/Bar");
-+  open my $fh,
-+    ">$name/auto/Foo/Bar/Bar.$Config::Config{'dlext'}";
-+  close $fh;
-+  my $fell_back;
-+  local *XSLoader::bootstrap_inherit = sub {
-+    $fell_back++;
-+    # Break out of the calling subs
-+    goto the_test;
-+  };
-+  eval <<END;
-+#line 1 $name
-+package Foo::Bar;
-+XSLoader::load("Foo::Bar");
-+END
-+ the_test:
-+  ok $fell_back,
-+    'XSLoader will not load relative paths based on (caller)[1]';
-+  File::Path::remove_tree($name);
-+}
-- 
-2.5.5
-
-From 5993d6620f29d22b0a72701f4f0fdacff3d25460 Mon Sep 17 00:00:00 2001
-From: Father Chrysostomos <sprout@cpan.org>
-Date: Sat, 2 Jul 2016 22:57:46 -0700
-Subject: [PATCH 2/4] Increase $XSLoader::VERSION to 0.22
-
---
- dist/XSLoader/XSLoader_pm.PL | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/dist/XSLoader/XSLoader_pm.PL b/dist/XSLoader/XSLoader_pm.PL
-index 749f72d..7e24b83 100644
--- a/dist/XSLoader/XSLoader_pm.PL
-+++ b/dist/XSLoader/XSLoader_pm.PL
-@@ -11,7 +11,7 @@ print OUT <<'EOT';
- 
- package XSLoader;
- 
-$VERSION = "0.21";
-+$VERSION = "0.22";
- 
- #use strict;
- 
-- 
-2.5.5
-
-From a651dcdf6a9151150dcf0fb6b18849d3e39b0811 Mon Sep 17 00:00:00 2001
-From: Father Chrysostomos <sprout@cpan.org>
-Date: Mon, 4 Jul 2016 08:48:57 -0700
-Subject: [PATCH 3/4] Fix XSLoader to recognize drive letters
-
-Commit 08e3451d made XSLoader confirm that the file path it got
-from (caller)[2] was in @INC if it looked like a relative path.
-Not taking drive letters into account, it made that @INC search
-mandatory on Windows and some other systems.  It still worked, but
-was slightly slower.
---
- dist/XSLoader/XSLoader_pm.PL | 14 +++++++++++++-
- 1 file changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/dist/XSLoader/XSLoader_pm.PL b/dist/XSLoader/XSLoader_pm.PL
-index 7e24b83..2efb99e 100644
--- a/dist/XSLoader/XSLoader_pm.PL
-+++ b/dist/XSLoader/XSLoader_pm.PL
-@@ -91,8 +91,20 @@ print OUT <<'EOT';
-     my $modpname = join('/',@modparts);
-     my $c = () = split(/::/,$caller,-1);
-     $modlibname =~ s,[\\/][^\\/]+$,, while $c--;    # Q&D basename
-+EOT
-+
-+my $to_print = <<'EOT';
-     # Does this look like a relative path?
-    if ($modlibname !~ m|^[\\/]|) {
-+    if ($modlibname !~ m{regexp}) {
-+EOT
-+
-+$to_print =~ s~regexp~
-+    $^O eq 'MSWin32' || $^O eq 'os2' || $^O eq 'cygwin' || $^O eq 'amigaos'
-+        ? '^(?:[A-Za-z]:)?[\\\/]' # Optional drive letter
-+        : '^/'
-+~e;
-+
-+print OUT $to_print, <<'EOT';
-         # Someone may have a #line directive that changes the file name, or
-         # may be calling XSLoader::load from inside a string eval.  We cer-
-         # tainly do not want to go loading some code that is not in @INC,
-- 
-2.5.5
-
-From ae635bbffa4769051671b9832a7472b9d977c198 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?S=C3=A9bastien=20Aperghis-Tramoni?= <sebastien@aperghis.net>
-Date: Tue, 5 Jul 2016 14:53:08 -0700
-Subject: [PATCH 4/4] Synchronize blead with CPAN XSLoader 0.22
-
---
- dist/XSLoader/XSLoader_pm.PL | 2 +-
- dist/XSLoader/t/XSLoader.t   | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/dist/XSLoader/XSLoader_pm.PL b/dist/XSLoader/XSLoader_pm.PL
-index 2efb99e..09f9d4b 100644
--- a/dist/XSLoader/XSLoader_pm.PL
-+++ b/dist/XSLoader/XSLoader_pm.PL
-@@ -255,7 +255,7 @@ XSLoader - Dynamically load C libraries into Perl code
- 
- =head1 VERSION
- 
-Version 0.17
-+Version 0.22
- 
- =head1 SYNOPSIS
- 
-diff --git a/dist/XSLoader/t/XSLoader.t b/dist/XSLoader/t/XSLoader.t
-index 1e86faa..d3538b8 100644
--- a/dist/XSLoader/t/XSLoader.t
-+++ b/dist/XSLoader/t/XSLoader.t
-@@ -130,7 +130,7 @@ SKIP: {
-   skip "File::Path not available", 1
-     unless eval { require File::Path };
-   my $name = "phooo$$";
-  File::Path::make_path("$name/auto/Foo/Bar");
-+  File::Path::mkpath("$name/auto/Foo/Bar");
-   open my $fh,
-     ">$name/auto/Foo/Bar/Bar.$Config::Config{'dlext'}";
-   close $fh;
-@@ -148,5 +148,5 @@ END
-  the_test:
-   ok $fell_back,
-     'XSLoader will not load relative paths based on (caller)[1]';
-  File::Path::remove_tree($name);
-+  File::Path::rmtree($name);
- }
-- 
-2.5.5
-
--- a/perl.spec
+++ b/perl.spec
@ -1,4 +1,4 @@
-%global perl_version    5.24.0
+%global perl_version    5.24.1
 %global perl_epoch      4
 %global perl_arch_stem -thread-multi
 %global perl_archname %{_arch}-%{_os}%{perl_arch_stem}
@ -28,7 +28,7 @@
 Name:           perl
 Version:        %{perl_version}
 # release number must be even higher, because dual-lived modules will be broken otherwise
-Release:        384%{?dist}
+Release:        385%{?dist}
 Epoch:          %{perl_epoch}
 Summary:        Practical Extraction and Report Language
 Group:          Development/Languages
@ -160,10 +160,6 @@ Patch37:        perl-5.25.2-perl-128238-Crash-with-non-stash-in-stash.patch
 # Fix line numbers with perl -x, RT#128508, in upstream after 5.25.2
 Patch38:        perl-5.25.2-perl-128508-Fix-line-numbers-with-perl-x.patch

-# Do not let XSLoader load relative paths, CVE-2016-6185, RT#115808,
-# in upstream after 5.25.2
-Patch39:        perl-5.25.2-Don-t-let-XSLoader-load-relative-paths.patch
-
 # Fix a crash when vivifying a stub in a deleted package, RT#128532,
 # in upstream after 5.25.2
 Patch40:        perl-5.25.2-perl-128532-Crash-vivifying-stub-in-deleted-pkg.patch
@ -179,10 +175,6 @@ Patch42:        perl-5.25.2-perl-128597-Crash-from-gp_free-ckWARN_d.patch
 # in upstream after 5.25.3
 Patch43:        perl-5.24.0-PATCH-perl-128734-tr-N-.-failing-for-128-255.patch

-# Avoid loading of modules from current directory, CVE-2016-1238, bug #1360425
-# in upstream after 5.24.1
-Patch44:        perl-5.24.0-CVE-2016-1238-maint-5.24-dot-in-inc.patch
-
 # Fix crash in "evalbytes S", RT#129196, in upstream after 5.25.4
 Patch45:        perl-5.25.4-perl-129196-Crash-bad-read-with-evalbytes-S.patch
 Patch46:        perl-5.24.0-Regression-test-for-RT-129196.patch
@ -287,7 +279,7 @@ BuildRequires:  rsyslog


 # compat macro needed for rebuild
-%global perl_compat perl(:MODULE_COMPAT_5.24.0)
+%global perl_compat perl(:MODULE_COMPAT_5.24.1)

 # File provides
 Provides: perl(bytes_heavy.pl)
@ -343,6 +335,7 @@ Group:          Development/Languages
 License:        (GPL+ or Artistic) and HSLR and MIT and UCD
 # Compat provides
 Provides:       %perl_compat
+Provides:       perl(:MODULE_COMPAT_5.24.0)
 # Interpreter version to fulfil required genersted from "require 5.006;"
 Provides:       perl(:VERSION) = %{perl_version}
 # Threading provides
@ -1957,7 +1950,7 @@ Summary:        What modules are shipped with versions of perl
 Group:          Development/Libraries
 License:        GPL+ or Artistic
 Epoch:          1
-Version:        5.20160506
+Version:        5.20170114
 Requires:       %perl_compat
 Requires:       perl(List::Util)
 Requires:       perl(version) >= 0.88
@ -1976,7 +1969,7 @@ Summary:        Tool for listing modules shipped with perl
 Group:          Development/Tools
 License:        GPL+ or Artistic
 Epoch:          1
-Version:        5.20160506
+Version:        5.20170114
 Requires:       %perl_compat
 Requires:       perl(feature)
 Requires:       perl(version) >= 0.88
@ -2907,12 +2900,10 @@ Perl extension for Version Objects
 %patch36 -p1
 %patch37 -p1
 %patch38 -p1
-%patch39 -p1
 %patch40 -p1
 %patch41 -p1
 %patch42 -p1
 %patch43 -p1
-%patch44 -p1
 %patch45 -p1
 %patch46 -p1
 %patch47 -p1
@ -2963,12 +2954,10 @@ perl -x patchlevel.h \
    'Fedora Patch36: Do not treat %: as a stash (RT#128238)' \
    'Fedora Patch37: Do not crash when inserting a non-stash into a stash (RT#128238)' \
    'Fedora Patch38: Fix line numbers with perl -x (RT#128508)' \
-    'Fedora Patch39: Do not let XSLoader load relative paths (CVE-2016-6185)' \
    'Fedora Patch40: Fix a crash when vivifying a stub in a deleted package (RT#128532)' \
    'Fedora Patch41: Fix a crash in "Subroutine redefined" warning (RT#128257)' \
    'Fedora Patch42: Fix a crash in lexical scope warnings (RT#128597)' \
    'Fedora Patch43: Fix handling \N{} in tr for characters in range 128--255 (RT#128734)' \
-    'Fedora Patch44: Avoid loading of modules from current directory (CVE-2016-1238)' \
    'Fedora Patch45: Fix crash in "evalbytes S" (RT#129196)' \
    'Fedora Patch46: Fix crash in "evalbytes S" (RT#129196)' \
    'Fedora Patch47: Fix crash in "evalbytes S" (RT#129196)' \
@ -5266,6 +5255,10 @@ popd

 # Old changelog entries are preserved in CVS.
 %changelog
+* Mon Jan 16 2017 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.24.1-385
+- 5.24.1 bump (see <http://search.cpan.org/dist/perl-5.24.1/pod/perldelta.pod>
+  for release notes)
+
 * Thu Jan 12 2017 Igor Gnatenko <ignatenko@redhat.com> - 4:5.24.0-384
 - Rebuild for readline 7.x

--- a/2
+++ b/2
@ -1 +1 @@
-99f39abe614b50719d9915431e54fc1e  perl-5.24.0.tar.bz2
+SHA512 (perl-5.24.1.tar.bz2) = 5a6e5f5fcd65e7add7ba2126d530a8e2a912cb076cfe61bbf7e49b28e4e63aa0d474183a6f8a388c67d03ea6a44f367efb3b3a768e971ef52b769e737eeb048b