From e6745c245aa1e79823dcb4abb88f40709369a3e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 4 Oct 2011 13:39:56 +0200
Subject: [PATCH] Fix code injection in Digest

---
 perl-5.14.2-digest_eval.patch | 28 ++++++++++++++++++++++++++++
 perl.spec                     | 10 +++++++++-
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 perl-5.14.2-digest_eval.patch

diff --git a/perl-5.14.2-digest_eval.patch b/perl-5.14.2-digest_eval.patch
new file mode 100644
index 0000000..dc7cc2d
--- /dev/null
+++ b/perl-5.14.2-digest_eval.patch
@@ -0,0 +1,28 @@
+From dbcab24bb98b4a243c8330bc7017c2080832b3f9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Tue, 4 Oct 2011 13:46:39 +0200
+Subject: [PATCH] Fix code injection in Digest
+
+See <https://bugzilla.redhat.com/show_bug.cgi?id=743010> for more details.
+---
+ cpan/Digest/Digest.pm |    4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/cpan/Digest/Digest.pm b/cpan/Digest/Digest.pm
+index 384dfc8..4b923ae 100644
+--- a/cpan/Digest/Digest.pm
++++ b/cpan/Digest/Digest.pm
+@@ -35,7 +35,9 @@ sub new
+ 	($class, @args) = @$class if ref($class);
+ 	no strict 'refs';
+ 	unless (exists ${"$class\::"}{"VERSION"}) {
+-	    eval "require $class";
++	    my $pm_file = $class . ".pm";
++	    $pm_file =~ s{::}{/}g;
++	    eval { require $pm_file };
+ 	    if ($@) {
+ 		$err ||= $@;
+ 		next;
+-- 
+1.7.6.4
+
diff --git a/perl.spec b/perl.spec
index 1f46550..5b142f4 100644
--- a/perl.spec
+++ b/perl.spec
@@ -22,7 +22,7 @@
 Name:           perl
 Version:        %{perl_version}
 # release number must be even higher, because dual-lived modules will be broken otherwise
-Release:        194%{?dist}
+Release:        195%{?dist}
 Epoch:          %{perl_epoch}
 Summary:        Practical Extraction and Report Language
 Group:          Development/Languages
@@ -68,6 +68,9 @@ Patch7:         perl-5.10.0-x86_64-io-test-failure.patch
 # switch off test, which is failing only on koji (fork)
 Patch8:         perl-5.14.1-offtest.patch
 
+# Fix code injection in Digest, rhbz #743010, RT#71390, fixed in Digest-1.17.
+Patch9:         perl-5.14.2-digest_eval.patch
+
 # Update some of the bundled modules
 # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions
 
@@ -1116,6 +1119,7 @@ tarball from perl.org.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 #copy the example script
 cp -a %{SOURCE5} .
@@ -1310,6 +1314,7 @@ pushd %{build_archlib}/CORE/
     'Fedora Patch5: USE_MM_LD_RUN_PATH' \
     'Fedora Patch6: Skip hostname tests, due to builders not being network capable' \
     'Fedora Patch7: Dont run one io test due to random builder failures' \
+    'Fedora Patch9: Fix code injection in Digest->new()' \
     %{nil}
 
 rm patchlevel.bak
@@ -2209,6 +2214,9 @@ sed \
 
 # Old changelog entries are preserved in CVS.
 %changelog
+* Tue Oct 04 2011 Petr Pisar <ppisar@redhat.com> - 4:5.14.2-195
+- Fix code injection in Digest (bug #743010)
+
 * Tue Oct 04 2011 Iain Arnell <iarnell@gmail.com> 4:5.14.2-194
 - add provide for perl(:MODULE_COMPAT_5.14.2)