[perl/f14] Fix code injection in Digest
Petr Pisar
ppisar at fedoraproject.org
Wed Oct 5 16:35:01 UTC 2011
commit b5d432af71842b800d17a696782dd9f1da7f06f1
Author: Petr Písař <ppisar at redhat.com>
Date: Tue Oct 4 13:39:56 2011 +0200
Fix code injection in Digest
perl-5.14.2-digest_eval.patch | 28 ++++++++++++++++++++++++++++
perl.spec | 10 +++++++++-
2 files changed, 37 insertions(+), 1 deletions(-)
---
diff --git a/perl-5.14.2-digest_eval.patch b/perl-5.14.2-digest_eval.patch
new file mode 100644
index 0000000..dc7cc2d
--- /dev/null
+++ b/perl-5.14.2-digest_eval.patch
@@ -0,0 +1,28 @@
+From dbcab24bb98b4a243c8330bc7017c2080832b3f9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Tue, 4 Oct 2011 13:46:39 +0200
+Subject: [PATCH] Fix code injection in Digest
+
+See <https://bugzilla.redhat.com/show_bug.cgi?id=743010> for more details.
+---
+ cpan/Digest/Digest.pm | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/cpan/Digest/Digest.pm b/cpan/Digest/Digest.pm
+index 384dfc8..4b923ae 100644
+--- a/cpan/Digest/Digest.pm
++++ b/cpan/Digest/Digest.pm
+@@ -35,7 +35,9 @@ sub new
+ ($class, @args) = @$class if ref($class);
+ no strict 'refs';
+ unless (exists ${"$class\::"}{"VERSION"}) {
+- eval "require $class";
++ my $pm_file = $class . ".pm";
++ $pm_file =~ s{::}{/}g;
++ eval { require $pm_file };
+ if ($@) {
+ $err ||= $@;
+ next;
+--
+1.7.6.4
+
diff --git a/perl.spec b/perl.spec
index f9a77b4..223f3ed 100644
--- a/perl.spec
+++ b/perl.spec
@@ -12,7 +12,7 @@
Name: perl
Version: %{perl_version}
# release number must be even higher, becase dual-lived modules will be broken otherwise
-Release: 146%{?dist}
+Release: 147%{?dist}
Epoch: %{perl_epoch}
Summary: Practical Extraction and Report Language
Group: Development/Languages
@@ -66,6 +66,9 @@ Patch9: perl-5.12.2-h2ph.patch
# Update ExtUtils::ParseXS to 2.2206
Patch10: perl-ExtUtils-ParseXS-2.2206.patch
+# Fix code injection in Digest, rhbz #743010, RT#71390, fixed in Digest-1.17.
+Patch11: perl-5.14.2-digest_eval.patch
+
# Update some of the bundled modules
# see http://fedoraproject.org/wiki/Perl/perl.spec for instructions
@@ -939,6 +942,7 @@ upstream tarball from perl.org.
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11 -p1
#
# Candidates for doc recoding (need case by case review):
@@ -1139,6 +1143,7 @@ pushd %{build_archlib}/CORE/
'Fedora Patch8: Do not leak when destroying thread; RT #77352' \
'Fedora Patch9: h2ph produces incorrect code in preamble, based mainly on RT #74614 ' \
'Fedora Patch10: Update ExtUtils::ParseXS to 2.2206' \
+ 'Fedora Patch11: Fix code injection in Digest->new()' \
%{nil}
rm patchlevel.bak
@@ -1872,6 +1877,9 @@ rm -rf $RPM_BUILD_ROOT
# Old changelog entries are preserved in CVS.
%changelog
+* Wed Oct 05 2011 Petr Pisar <ppisar at redhat.com> - 4:5.12.4-147
+- Fix CVE-2011-3597 (code injection in Digest) (bug #743010)
+
* Fri Jun 24 2011 Marcela Mašláňová <mmaslano at redhat.com> - 4:5.12.4-146
- every Fedora has different paths -> remove dirs, which were added in
previous commit
More information about the scm-commits
mailing list