A couple of requests for FC-6
by Jose Pedro Oliveira
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Robin,
It would be nice to have the following topics taken care before
the FC-6 final release:
1. Rawhide: perl packages to update
======================================================================
Fedora Core Development CPAN
-------------------------------------------------------------------
Archive-Tar-1.29 (Archive-Tar-1.30.tar.gz)
DBD-MySQL-3.0006 (DBD-mysql-3.0007.tar.gz)
Devel-Symdump-2.0601 (Devel-Symdump-2.0602.tar.gz)
IO-Socket-SSL-0.998 (IO-Socket-SSL-1.01.tar.gz)
PDL-2.4.2 (PDL-2.4.3.tar.gz)
-------------------------------------------------------------------
Note:
There is already a bugzilla ticket opened requesting the
IO::Socket::SSL update (bugzilla ticket 206782).
2. Rawhide perl package: drop directory support for perl 5.8.3 and 5.84
======================================================================
Removing support for perl 5.8.3 and perl 5.8.4 reduces the number
of directories in the perl search path (@INC), which improves the
perl modules loading time.
This has already been done in past for FC-4 where support for
perl 5.8.0/5.8.1/5.8.2 has dropped.
perl specfile patch:
--------------------
--- perl.spec.588_8 2006-07-14 22:22:06.000000000 +0100
+++ perl.spec 2006-09-17 16:10:58.000000000 +0100
@@ -26,9 +26,7 @@
Provides: perl(:WITHOUT_THREADS)
%endif
-%define perlmodcompat 5.8.7 5.8.6 5.8.5 5.8.4 5.8.3
-Provides: perl(:MODULE_COMPAT_5.8.3)
-Provides: perl(:MODULE_COMPAT_5.8.4)
+%define perlmodcompat 5.8.7 5.8.6 5.8.5
Provides: perl(:MODULE_COMPAT_5.8.5)
Provides: perl(:MODULE_COMPAT_5.8.6)
Provides: perl(:MODULE_COMPAT_5.8.7)
--------------------
Note:
The FC-4 change was reported in the Release Notes.
3. Rawhide perl-LDAP: enable LDAPS support
======================================================================
Now that perl-IO-Socket-SSL and perl-Net-SSLeay are core packages
it would be great to have the package perl-LDAP pulling in
perl-IO-Socket-SSL automatically.
More information available in the following bugzilla ticket:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=122066
Regards,
jpo
- --
José Pedro Oliveira
* mailto: jpo(a)di.uminho.pt * http://gsd.di.uminho.pt/jpo *
* gpg fingerprint = F9B6 8D87 859D 1C94 48F0 84C0 9749 9EB5 91BD 851B *
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFFDW3tl0metZG9hRsRAlvGAJ9vLVOt15Hle6K8wrQtjSKna0rBEQCeMRIZ
6nKCeV5G//YDcOI6w5lI620=
=3Su8
-----END PGP SIGNATURE-----
14 years, 4 months
[Bug 185242] New: ioctl default minimum argument length of 256 should be restored
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185242
Summary: ioctl default minimum argument length of 256 should be
restored
Product: Fedora Core
Version: fc4
Platform: All
URL: http://rt.perl.org/rt3/Ticket/Display.html?id=38223
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: perl
AssignedTo: jvdias(a)redhat.com
ReportedBy: jvdias(a)redhat.com
QAContact: dkl(a)redhat.com
CC: fedora-perl-devel-list@redhat.com,prockai(a)redhat.com
+++ This bug was initially created as a clone of Bug #185240 +++
Description of problem:
This is perl bug request ticket 38223 .
Owing to the fix for bug 171111, where the length bitfield of the ioctl
number argument, which specifies the length of the optional RD ioctl output
third argument, was not being extracted correctly, and perl used 256 as the
minimum length of the third argument in all cases, perl now does not ascribe
any minimum length to the third argument unless the length bitfield is
specified.
This has the result that unless the length bitfield of the ioctl number is
specified, a third argument of a buffer with insufficient length for the
ioctl output will be overflowed, and perl will suffer a buffer overflow
and a potential memory access violation or memory corruption,
as generated by the following code (from perlbug RT# 38223):
#!/usr/bin/perl
require 'sys/ioctl.ph';
die "no TIOCGWINSZ " unless defined &TIOCGWINSZ;
open(TTY, "+</dev/tty") or die "No tty: $!";
unless (ioctl(TTY, &TIOCGWINSZ, $winsize='')) {
die sprintf "$0: ioctl TIOCGWINSZ (%08x: $!)\n", &TIOCGWINSZ;
}
($row, $col, $xpixel, $ypixel) = unpack('S4', $winsize);
print "(row,col) = ($row,$col)";
print " (xpixel,ypixel) = ($xpixel,$ypixel)" if $xpixel || $ypixel;
print "\n";
Perl now correctly detects the buffer overflow:
Possible memory corruption: ioctl overflowed 3rd argument at ./bug38223.pl
line 5.
This would not have occurred with perl versions before perl-5.8.6-18,
because the length of all the ioctl third output arguments was made a
minimum of 256 bytes.
The overflow would not have occurred if the ioctl call had been :
ioctl(TTY, &TIOCGWINSZ, $winsize='x'x16)
or
ioctl(TTY, &TIOCGWINSZ | (16 << &_IOC_SIZESHIFT), $winsize='')
The default size of 256 has been restored in the latest upstream patch for
this issue:
==== //depot/perl/perl.h#657 (text) ====
Index: perl/perl.h
--- perl/perl.h.~1~ Fri Jan 13 04:10:49 2006
+++ perl/perl.h Fri Jan 13 04:10:49 2006
@@ -2977,8 +2977,8 @@
# define IOCPARM_LEN(x) (((x) >> 16) & \ # IOCPARM_MASK)
# else
# if defined(_IOC_SIZE) && defined(__GLIBC__)
- /* on Linux systems we're safe */
-# define IOCPARM_LEN(x) _IOC_SIZE(x)
+ /* on Linux systems we're safe; except when we're not [perl #38223] */
+# define IOCPARM_LEN(x) (_IOC_SIZE(x) < 256 ? 256 : \ _IOC_SIZE(x))
# else
/* otherwise guess at what's safe */
# define IOCPARM_LEN(x) 256
End of Patch.
Version-Release number of selected component (if applicable):
perl-5.8.6-22
How reproducible:
100%
Steps to Reproduce:
Invoke a READ ioctl with a 0 length bitfield and and output buffer
third argument of insufficient length to hold the potential ioctl output.
Actual results:
Perl exits with error:
Possible memory corruption: ioctl overflowed 3rd argument
Expected results:
Perl should enforce a minimum length of 256 bytes for the ioctl output buffer.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
14 years, 4 months
[Bug 174684] New: Perl integer overflow issue
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174684
Summary: Perl integer overflow issue
Product: Fedora Core
Version: fc4
Platform: All
OS/Version: Linux
Status: NEW
Severity: security
Priority: normal
Component: perl
AssignedTo: jvdias(a)redhat.com
ReportedBy: bressers(a)redhat.com
QAContact: dkl(a)redhat.com
CC: fedora-perl-devel-list(a)redhat.com
Perl integer overflow issue
There exists an integer overflow problem in Perl which can lead to a
string format issue. If a large enough integer is supplied to a
printf statement which uses the %n conversion, it may be possible to
execute arbitrary code. This problem will not be easy to remotely
exploit as a very poorly written script will first be needed.
http://marc.theaimsgroup.com/?l=full-disclosure&m=113342788118630&w=2
Doesn't Affec: RHEL2.1
This issue also affects FC3
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
14 years, 4 months
[Bug 172336] New: getgrnam() crashes with "Out of memory" if /etc/group contains long lines
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172336
Summary: getgrnam() crashes with "Out of memory" if /etc/group
contains long lines
Product: Fedora Core
Version: fc4
Platform: i386
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=227621
OS/Version: Linux
Status: NEW
Severity: security
Priority: normal
Component: perl
AssignedTo: jvdias(a)redhat.com
ReportedBy: jvdias(a)redhat.com
QAContact: dkl(a)redhat.com
CC: fedora-perl-devel-list@redhat.com,prockai(a)redhat.com
+++ This bug was initially created as a clone of Bug #163958 +++
>From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720
Firefox/1.0.6
Description of problem:
This bug has been fixed in Debian and in newest Perl. I'm just wondering does
this concern RHEL 3 too, because we are rather close having "too much" users in
one group and I would rather see this bug fixed before that we are going to have
problems.
* Fix test of reenterant function return values which was causing
perl to malloc itself to death if ERANGE was encountered before
ENOENT (such as a long line in /etc/group; closes: #227621).
Version-Release number of selected component (if applicable):
How reproducible:
Didn't try
Additional info:
-- Additional comment from jvdias(a)redhat.com on 2005-11-02 16:23 EST --
This is PERL bug 37056, fixed with patch 25084 in bleadperl (5.9.x):
( http://rt.perl.org/rt3/Ticket/Display.html?id=37056 )
Subject: getgrent fails if a line in /etc/groups gets too long
Date: Fri, 02 Sep 2005 15:53:08 +0200
To: perlbug(a)perl.org
From: Michiel Blotwijk <michiel(a)blotwijk.com>
This is a bug report for perl from michiel(a)altiplano.be,
generated with the help of perlbug 1.35 running under perl v5.8.5.
-----------------------------------------------------------------
[Please enter your report here]
The function getgrent throws an error if a line in /etc/groups gets
too long (> 3000 characters). This error can be reproduced as follows:
1/ Manually add a large number of users to a group in /etc/group. It doesn't
really matter if these are real users or not, as long as the line exceeds
3000 characters.
2/ perl -e 'use User::grent; while (my $gr = getgrent() ) { print
$gr->name."\n"; }'
This will return an "Out of memory!" message.
This thread seems to be related:
http://lists.debian.org/debian-security/2005/06/msg00041.html
Originally reported at Debian:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=227621
As said in the Debian bug report:
From: "Steinar H. Gunderson" <sgunderson(a)bigfoot.com>
To: Peter Palúch <peterp(a)frix.fri.utc.sk>
Cc: control(a)bugs.debian.org, 227621(a)bugs.debian.org,
debian-security(a)lists.debian.org
Subject: Re: perl: getgrnam() crashes with "Out of memory" if /etc/group
contains long lines
Date: Fri, 10 Jun 2005 15:03:02 +0200
It's about the same bug in perl as it was in glibc. reentr.pl line 698 reads:
$call = qq[((PL_REENTRANT_RETINT = $call)$test ? $true :
(((PL_REENTRANT_RETINT == ERANGE) || (errno == ERANGE)) ?
($seenm{$func}{$seenr{$func}})Perl_reentrant_retry("$func"$rv) : 0))];
The problem here is "errno == ERANGE". If, at any time, there's a line longer
than the initial buffer, getgrent() (or any in the same family) will get
ERANGE back (and errno will be set to ERANGE). However, this is never reset.
Thus, when getgrent_r() hits EOF, it returns ENOENT, _but errno is still
ERANGE_. Perl figures the buffer was too small, doubles it and tries again,
but still gets ENOENT, of course (and errno is still ERANGE). This goes on
forever and ever until you run out of memory (which happens quite fast).
The solution is simply to remove "errno == ERANGE" AFAICS; getgrent_r() does
not define what happens to errno, and the return message will always be
ERANGE if the buffer is too small.
I'm a bit tempted to tag this "security"; if a user can (say) change his or
her own GECOS field to make it long enough, Perl programs using getpwent()
will crash, for instance. I can't find any direct way to exploit it (chfn
limits the length of the fields, for instance), but I'm still slightly
concerned over the possibilities of a DoS; Cc-ing debian-security.
/* Steinar */
I agree this bug has security implications .
This problem affects all {get,set}* nss perl wrapper functions, not only
getgrent .
This problem affects all previous releases of PERL in all current Red Hat
releases.
The patch is very straightforward - replace all occurences of
((PL_REENTRANT_RETINT == ERANGE) || (errno == ERANGE))
with
(PL_REENTRANT_RETINT == ERANGE)
in reentr.inc and reentr.pl.
This bug is now being fixed in these perl versions:
Rawhide / FC-5 : perl-5.8.7-0.7.fc5
FC-4 : perl-5.8.6-16
RHEL-4 : perl-5.8.5-17.RHEL4
RHEL-3 : perl-5.8.0-90.2
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
14 years, 4 months
[Bug 184530] Review Request: perl-RPM2
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Review Request: perl-RPM2
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184530
jpo(a)di.uminho.pt changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|jpo(a)di.uminho.pt |fedora-perl-devel-
| |list(a)redhat.com
------- Additional Comments From jpo(a)di.uminho.pt 2006-09-21 08:34 EST -------
CC += fedora-perl-devel-list(a)redhat.com
* I believe Jason is no longer around; maybe Robin Norwood could take over
this and try to contact the Red Hat Legal Department
* The core perl-RPM-Specfile package has the same problem:
- same author (Chip Turner)
- same initial packager (Chip Turner)
- it doesn't contain any copyright information
(http://search.cpan.org/dist/RPM-Specfile/)
- the specfile states the license is "GPL or Artistic"
$ rpm -qp --qf="%{license}\n" perl-RPM-Specfile-1.19-2.1.1.src.rpm
GPL or Artistic
* The upstream RPM package started including the perl RPM[2] module as of 4.4.3.
It now generates a rpm-perl subpackage (http://wraptastic.org/pub/rpm-4.4.x/)
$ rpm -qpl rpm-perl-4.4.3-1.i386.rpm
/usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi/RPM2.pm
/usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi/auto/RPM2
/usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi/auto/RPM2/RPM2.so
/usr/share/man/man3/RPM2.3pm.gz
$ rpm -qpl rpm-perl-4.4.6-1.i386.rpm
/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/RPM.pm
/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/RPM
/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/RPM/RPM.so
/usr/share/man/man3/RPM.3pm.gz
Note: the rpm maintainer has renamed the perl module (RPM2 -> RPM)
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
14 years, 4 months
[Bug 202310] New: perl-DBI: update request to version 1.52 (FC-5 and rawhide)
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202310
Summary: perl-DBI: update request to version 1.52 (FC-5 and
rawhide)
Product: Fedora Core
Version: devel
Platform: All
OS/Version: Linux
Status: NEW
Severity: high
Priority: high
Component: perl-DBI
AssignedTo: jvdias(a)redhat.com
ReportedBy: jpo(a)di.uminho.pt
CC: fedora-perl-devel-list(a)redhat.com
Description of problem:
Version 1.52 fixes two memory leaks.
Version-Release number of selected component (if applicable):
Rawhide: perl-DBI-1.51-1.src.rpm
FC-5 : perl-DBI-1.50-2.2.src.rpm
Additional info:
Version 1.52 changelog
----------------------
+=head2 Changes in DBI 1.52 (svn rev 6734), 30h July 2006
+
+ Fixed memory leak (per handle) thanks to Nicholas Clark and Ephraim Dan.
+ Fixed memory leak (16 bytes per sth) thanks to Doru Theodor Petrescu.
+ Fixed execute_for_fetch/execute_array to RaiseError thanks to Martin J. Evans.
+ Fixed for perl 5.9.4. Users of Perl >= 5.9.4 will require DBI >= 1.52.
+
+ Updated DBD::File to 0.35 to match the latest release on CPAN.
+
+ Added $dbh->statistics_info specification thanks to Brandon Black.
+
+ Many changes and additions to profiling:
+ Profile Path can now uses sane strings instead of obscure numbers,
+ can refer to attributes, assorted magical values, and even code refs!
+ Parsing of non-numeric DBI_PROFILE env var values has changed.
+ Changed DBI::Profile docs extensively - many new features.
+ See DBI::Profile docs for more information.
Diff from DBI-1.51 to DBI-1.52
------------------------------
http://search.cpan.org/diff?from=DBI-1.51&to=DBI-1.52
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
14 years, 4 months
Updating perl modules inside the base perl package
by Kelly Corbin
First of all, if I've asked this question to the inappropriate list, I
apologize. I've asked other lists with no response as I think it may be
outside many users expertise. And, it seemed this list *was* the most
appropriate place to ask.
Here's my question: Can anyone point me in the direction to steps or
documentation to update the perl modules inside the base perl package
for RHEL or Fedora? We need newer versions of a couple modules that are
integrated in the package (instead of being separate modules that we can
upgrade individually, grrr!) and I wanted to know how the package
maintainers do it so I can do it myself. Then I can update the perl
package with the newer modules we need as it is updated from Red Hat.
Thanks!
Kelly
--
--------------------------------------------
-- Kelly Corbin
-- Network Administrator
--
-- http://www.theiqgroup.com
--
-- The IQ Group, Inc.
-- 6740 Antioch Suite 260
-- Merriam, KS 66204
-- (913)-722-6700 x105
-- Fax 866-714-7282
--------------------------------------------
14 years, 4 months
[Bug 205609] New: Errant provide: perl(UNIVERSAL)
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205609
Summary: Errant provide: perl(UNIVERSAL)
Product: Fedora Extras
Version: fc5
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: perl-UNIVERSAL-require
AssignedTo: tcallawa(a)redhat.com
ReportedBy: cweyl(a)alumni.drew.edu
QAContact: extras-qa(a)fedoraproject.org
CC: extras-qa(a)fedoraproject.org,fedora-perl-devel-
list(a)redhat.com
This package provides perl(UNIVERSAL), which is properly provided by the base
perl package.
(This bug is valid for devel also, but BZ won't allow multiple version selections.)
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
14 years, 4 months
[Bug 205607] New: Errant provide: perl(UNIVERSAL)
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205607
Summary: Errant provide: perl(UNIVERSAL)
Product: Fedora Extras
Version: fc5
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: perl-UNIVERSAL-exports
AssignedTo: tcallawa(a)redhat.com
ReportedBy: cweyl(a)alumni.drew.edu
QAContact: extras-qa(a)fedoraproject.org
CC: extras-qa(a)fedoraproject.org,fedora-perl-devel-
list(a)redhat.com
This package provides perl(UNIVERSAL), which is properly provided by the base
perl package.
(This bug is valid for devel also, but BZ won't allow multiple version selections.)
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
14 years, 4 months