perl-devel September 2006

perl-devel@lists.fedoraproject.org

13 participants
62 discussions

A couple of requests for FC-6
by Jose Pedro Oliveira 22 Sep '06

22 Sep '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robin, It would be nice to have the following topics taken care before the FC-6 final release: 1. Rawhide: perl packages to update ====================================================================== Fedora Core Development CPAN ------------------------------------------------------------------- Archive-Tar-1.29 (Archive-Tar-1.30.tar.gz) DBD-MySQL-3.0006 (DBD-mysql-3.0007.tar.gz) Devel-Symdump-2.0601 (Devel-Symdump-2.0602.tar.gz) IO-Socket-SSL-0.998 (IO-Socket-SSL-1.01.tar.gz) PDL-2.4.2 (PDL-2.4.3.tar.gz) ------------------------------------------------------------------- Note: There is already a bugzilla ticket opened requesting the IO::Socket::SSL update (bugzilla ticket 206782). 2. Rawhide perl package: drop directory support for perl 5.8.3 and 5.84 ====================================================================== Removing support for perl 5.8.3 and perl 5.8.4 reduces the number of directories in the perl search path (@INC), which improves the perl modules loading time. This has already been done in past for FC-4 where support for perl 5.8.0/5.8.1/5.8.2 has dropped. perl specfile patch: -------------------- --- perl.spec.588_8 2006-07-14 22:22:06.000000000 +0100 +++ perl.spec 2006-09-17 16:10:58.000000000 +0100 @@ -26,9 +26,7 @@ Provides: perl(:WITHOUT_THREADS) %endif -%define perlmodcompat 5.8.7 5.8.6 5.8.5 5.8.4 5.8.3 -Provides: perl(:MODULE_COMPAT_5.8.3) -Provides: perl(:MODULE_COMPAT_5.8.4) +%define perlmodcompat 5.8.7 5.8.6 5.8.5 Provides: perl(:MODULE_COMPAT_5.8.5) Provides: perl(:MODULE_COMPAT_5.8.6) Provides: perl(:MODULE_COMPAT_5.8.7) -------------------- Note: The FC-4 change was reported in the Release Notes. 3. Rawhide perl-LDAP: enable LDAPS support ====================================================================== Now that perl-IO-Socket-SSL and perl-Net-SSLeay are core packages it would be great to have the package perl-LDAP pulling in perl-IO-Socket-SSL automatically. More information available in the following bugzilla ticket: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=122066 Regards, jpo - -- José Pedro Oliveira * mailto: jpo(a)di.uminho.pt * http://gsd.di.uminho.pt/jpo * * gpg fingerprint = F9B6 8D87 859D 1C94 48F0 84C0 9749 9EB5 91BD 851B * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFFDW3tl0metZG9hRsRAlvGAJ9vLVOt15Hle6K8wrQtjSKna0rBEQCeMRIZ 6nKCeV5G//YDcOI6w5lI620= =3Su8 -----END PGP SIGNATURE-----

5 9

[Bug 185242] New: ioctl default minimum argument length of 256 should be restored
by Red Hat Bugzilla 21 Sep '06

21 Sep '06

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185242 Summary: ioctl default minimum argument length of 256 should be restored Product: Fedora Core Version: fc4 Platform: All URL: http://rt.perl.org/rt3/Ticket/Display.html?id=38223 OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: perl AssignedTo: jvdias(a)redhat.com ReportedBy: jvdias(a)redhat.com QAContact: dkl(a)redhat.com CC: fedora-perl-devel-list@redhat.com,prockai@redhat.com +++ This bug was initially created as a clone of Bug #185240 +++ Description of problem: This is perl bug request ticket 38223 . Owing to the fix for bug 171111, where the length bitfield of the ioctl number argument, which specifies the length of the optional RD ioctl output third argument, was not being extracted correctly, and perl used 256 as the minimum length of the third argument in all cases, perl now does not ascribe any minimum length to the third argument unless the length bitfield is specified. This has the result that unless the length bitfield of the ioctl number is specified, a third argument of a buffer with insufficient length for the ioctl output will be overflowed, and perl will suffer a buffer overflow and a potential memory access violation or memory corruption, as generated by the following code (from perlbug RT# 38223): #!/usr/bin/perl require 'sys/ioctl.ph'; die "no TIOCGWINSZ " unless defined &TIOCGWINSZ; open(TTY, "+</dev/tty") or die "No tty: $!"; unless (ioctl(TTY, &TIOCGWINSZ, $winsize='')) { die sprintf "$0: ioctl TIOCGWINSZ (%08x: $!)\n", &TIOCGWINSZ; } ($row, $col, $xpixel, $ypixel) = unpack('S4', $winsize); print "(row,col) = ($row,$col)"; print " (xpixel,ypixel) = ($xpixel,$ypixel)" if $xpixel || $ypixel; print "\n"; Perl now correctly detects the buffer overflow: Possible memory corruption: ioctl overflowed 3rd argument at ./bug38223.pl line 5. This would not have occurred with perl versions before perl-5.8.6-18, because the length of all the ioctl third output arguments was made a minimum of 256 bytes. The overflow would not have occurred if the ioctl call had been : ioctl(TTY, &TIOCGWINSZ, $winsize='x'x16) or ioctl(TTY, &TIOCGWINSZ | (16 << &_IOC_SIZESHIFT), $winsize='') The default size of 256 has been restored in the latest upstream patch for this issue: ==== //depot/perl/perl.h#657 (text) ==== Index: perl/perl.h --- perl/perl.h.~1~ Fri Jan 13 04:10:49 2006 +++ perl/perl.h Fri Jan 13 04:10:49 2006 @@ -2977,8 +2977,8 @@ # define IOCPARM_LEN(x) (((x) >> 16) & \ # IOCPARM_MASK) # else # if defined(_IOC_SIZE) && defined(__GLIBC__) - /* on Linux systems we're safe */ -# define IOCPARM_LEN(x) _IOC_SIZE(x) + /* on Linux systems we're safe; except when we're not [perl #38223] */ +# define IOCPARM_LEN(x) (_IOC_SIZE(x) < 256 ? 256 : \ _IOC_SIZE(x)) # else /* otherwise guess at what's safe */ # define IOCPARM_LEN(x) 256 End of Patch. Version-Release number of selected component (if applicable): perl-5.8.6-22 How reproducible: 100% Steps to Reproduce: Invoke a READ ioctl with a 0 length bitfield and and output buffer third argument of insufficient length to hold the potential ioctl output. Actual results: Perl exits with error: Possible memory corruption: ioctl overflowed 3rd argument Expected results: Perl should enforce a minimum length of 256 bytes for the ioctl output buffer. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 6

[Bug 174684] New: Perl integer overflow issue
by Red Hat Bugzilla 21 Sep '06

21 Sep '06

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174684 Summary: Perl integer overflow issue Product: Fedora Core Version: fc4 Platform: All OS/Version: Linux Status: NEW Severity: security Priority: normal Component: perl AssignedTo: jvdias(a)redhat.com ReportedBy: bressers(a)redhat.com QAContact: dkl(a)redhat.com CC: fedora-perl-devel-list(a)redhat.com Perl integer overflow issue There exists an integer overflow problem in Perl which can lead to a string format issue. If a large enough integer is supplied to a printf statement which uses the %n conversion, it may be possible to execute arbitrary code. This problem will not be easy to remotely exploit as a very poorly written script will first be needed. http://marc.theaimsgroup.com/?l=full-disclosure&m=113342788118630&w=2 Doesn't Affec: RHEL2.1 This issue also affects FC3 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 15

[Bug 172336] New: getgrnam() crashes with "Out of memory" if /etc/group contains long lines
by Red Hat Bugzilla 21 Sep '06

21 Sep '06

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172336 Summary: getgrnam() crashes with "Out of memory" if /etc/group contains long lines Product: Fedora Core Version: fc4 Platform: i386 URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=227621 OS/Version: Linux Status: NEW Severity: security Priority: normal Component: perl AssignedTo: jvdias(a)redhat.com ReportedBy: jvdias(a)redhat.com QAContact: dkl(a)redhat.com CC: fedora-perl-devel-list@redhat.com,prockai@redhat.com +++ This bug was initially created as a clone of Bug #163958 +++ >From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Firefox/1.0.6 Description of problem: This bug has been fixed in Debian and in newest Perl. I'm just wondering does this concern RHEL 3 too, because we are rather close having "too much" users in one group and I would rather see this bug fixed before that we are going to have problems. * Fix test of reenterant function return values which was causing perl to malloc itself to death if ERANGE was encountered before ENOENT (such as a long line in /etc/group; closes: #227621). Version-Release number of selected component (if applicable): How reproducible: Didn't try Additional info: -- Additional comment from jvdias(a)redhat.com on 2005-11-02 16:23 EST -- This is PERL bug 37056, fixed with patch 25084 in bleadperl (5.9.x): ( http://rt.perl.org/rt3/Ticket/Display.html?id=37056 ) Subject: getgrent fails if a line in /etc/groups gets too long Date: Fri, 02 Sep 2005 15:53:08 +0200 To: perlbug(a)perl.org From: Michiel Blotwijk <michiel(a)blotwijk.com> This is a bug report for perl from michiel(a)altiplano.be, generated with the help of perlbug 1.35 running under perl v5.8.5. ----------------------------------------------------------------- [Please enter your report here] The function getgrent throws an error if a line in /etc/groups gets too long (> 3000 characters). This error can be reproduced as follows: 1/ Manually add a large number of users to a group in /etc/group. It doesn't really matter if these are real users or not, as long as the line exceeds 3000 characters. 2/ perl -e 'use User::grent; while (my $gr = getgrent() ) { print $gr->name."\n"; }' This will return an "Out of memory!" message. This thread seems to be related: http://lists.debian.org/debian-security/2005/06/msg00041.html Originally reported at Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=227621 As said in the Debian bug report: From: "Steinar H. Gunderson" <sgunderson(a)bigfoot.com> To: Peter Palúch <peterp(a)frix.fri.utc.sk> Cc: control(a)bugs.debian.org, 227621(a)bugs.debian.org, debian-security(a)lists.debian.org Subject: Re: perl: getgrnam() crashes with "Out of memory" if /etc/group contains long lines Date: Fri, 10 Jun 2005 15:03:02 +0200 It's about the same bug in perl as it was in glibc. reentr.pl line 698 reads: $call = qq[((PL_REENTRANT_RETINT = $call)$test ? $true : (((PL_REENTRANT_RETINT == ERANGE) || (errno == ERANGE)) ? ($seenm{$func}{$seenr{$func}})Perl_reentrant_retry("$func"$rv) : 0))]; The problem here is "errno == ERANGE". If, at any time, there's a line longer than the initial buffer, getgrent() (or any in the same family) will get ERANGE back (and errno will be set to ERANGE). However, this is never reset. Thus, when getgrent_r() hits EOF, it returns ENOENT, _but errno is still ERANGE_. Perl figures the buffer was too small, doubles it and tries again, but still gets ENOENT, of course (and errno is still ERANGE). This goes on forever and ever until you run out of memory (which happens quite fast). The solution is simply to remove "errno == ERANGE" AFAICS; getgrent_r() does not define what happens to errno, and the return message will always be ERANGE if the buffer is too small. I'm a bit tempted to tag this "security"; if a user can (say) change his or her own GECOS field to make it long enough, Perl programs using getpwent() will crash, for instance. I can't find any direct way to exploit it (chfn limits the length of the fields, for instance), but I'm still slightly concerned over the possibilities of a DoS; Cc-ing debian-security. /* Steinar */ I agree this bug has security implications . This problem affects all {get,set}* nss perl wrapper functions, not only getgrent . This problem affects all previous releases of PERL in all current Red Hat releases. The patch is very straightforward - replace all occurences of ((PL_REENTRANT_RETINT == ERANGE) || (errno == ERANGE)) with (PL_REENTRANT_RETINT == ERANGE) in reentr.inc and reentr.pl. This bug is now being fixed in these perl versions: Rawhide / FC-5 : perl-5.8.7-0.7.fc5 FC-4 : perl-5.8.6-16 RHEL-4 : perl-5.8.5-17.RHEL4 RHEL-3 : perl-5.8.0-90.2 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 3

[Bug 184530] Review Request: perl-RPM2
by Red Hat Bugzilla 21 Sep '06

21 Sep '06

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Review Request: perl-RPM2 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184530 jpo(a)di.uminho.pt changed: What |Removed |Added ---------------------------------------------------------------------------- CC|jpo(a)di.uminho.pt |fedora-perl-devel- | |list(a)redhat.com ------- Additional Comments From jpo(a)di.uminho.pt 2006-09-21 08:34 EST ------- CC += fedora-perl-devel-list(a)redhat.com * I believe Jason is no longer around; maybe Robin Norwood could take over this and try to contact the Red Hat Legal Department * The core perl-RPM-Specfile package has the same problem: - same author (Chip Turner) - same initial packager (Chip Turner) - it doesn't contain any copyright information (http://search.cpan.org/dist/RPM-Specfile/) - the specfile states the license is "GPL or Artistic" $ rpm -qp --qf="%{license}\n" perl-RPM-Specfile-1.19-2.1.1.src.rpm GPL or Artistic * The upstream RPM package started including the perl RPM[2] module as of 4.4.3. It now generates a rpm-perl subpackage (http://wraptastic.org/pub/rpm-4.4.x/) $ rpm -qpl rpm-perl-4.4.3-1.i386.rpm /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi/RPM2.pm /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi/auto/RPM2 /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi/auto/RPM2/RPM2.so /usr/share/man/man3/RPM2.3pm.gz $ rpm -qpl rpm-perl-4.4.6-1.i386.rpm /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/RPM.pm /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/RPM /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/RPM/RPM.so /usr/share/man/man3/RPM.3pm.gz Note: the rpm maintainer has renamed the perl module (RPM2 -> RPM) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 0

[Bug 204800] perl.prov script misparses some version information
by Red Hat Bugzilla 19 Sep '06

19 Sep '06

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: perl.prov script misparses some version information https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204800 cweyl(a)alumni.drew.edu changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fedora-perl-devel- | |list(a)redhat.com -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 0

[Bug 202310] New: perl-DBI: update request to version 1.52 (FC-5 and rawhide)
by Red Hat Bugzilla 15 Sep '06

15 Sep '06

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=202310 Summary: perl-DBI: update request to version 1.52 (FC-5 and rawhide) Product: Fedora Core Version: devel Platform: All OS/Version: Linux Status: NEW Severity: high Priority: high Component: perl-DBI AssignedTo: jvdias(a)redhat.com ReportedBy: jpo(a)di.uminho.pt CC: fedora-perl-devel-list(a)redhat.com Description of problem: Version 1.52 fixes two memory leaks. Version-Release number of selected component (if applicable): Rawhide: perl-DBI-1.51-1.src.rpm FC-5 : perl-DBI-1.50-2.2.src.rpm Additional info: Version 1.52 changelog ---------------------- +=head2 Changes in DBI 1.52 (svn rev 6734), 30h July 2006 + + Fixed memory leak (per handle) thanks to Nicholas Clark and Ephraim Dan. + Fixed memory leak (16 bytes per sth) thanks to Doru Theodor Petrescu. + Fixed execute_for_fetch/execute_array to RaiseError thanks to Martin J. Evans. + Fixed for perl 5.9.4. Users of Perl >= 5.9.4 will require DBI >= 1.52. + + Updated DBD::File to 0.35 to match the latest release on CPAN. + + Added $dbh->statistics_info specification thanks to Brandon Black. + + Many changes and additions to profiling: + Profile Path can now uses sane strings instead of obscure numbers, + can refer to attributes, assorted magical values, and even code refs! + Parsing of non-numeric DBI_PROFILE env var values has changed. + Changed DBI::Profile docs extensively - many new features. + See DBI::Profile docs for more information. Diff from DBI-1.51 to DBI-1.52 ------------------------------ http://search.cpan.org/diff?from=DBI-1.51&to=DBI-1.52 -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 4

Updating perl modules inside the base perl package
by Kelly Corbin 13 Sep '06

13 Sep '06

First of all, if I've asked this question to the inappropriate list, I apologize. I've asked other lists with no response as I think it may be outside many users expertise. And, it seemed this list *was* the most appropriate place to ask. Here's my question: Can anyone point me in the direction to steps or documentation to update the perl modules inside the base perl package for RHEL or Fedora? We need newer versions of a couple modules that are integrated in the package (instead of being separate modules that we can upgrade individually, grrr!) and I wanted to know how the package maintainers do it so I can do it myself. Then I can update the perl package with the newer modules we need as it is updated from Red Hat. Thanks! Kelly -- -------------------------------------------- -- Kelly Corbin -- Network Administrator -- -- http://www.theiqgroup.com -- -- The IQ Group, Inc. -- 6740 Antioch Suite 260 -- Merriam, KS 66204 -- (913)-722-6700 x105 -- Fax 866-714-7282 --------------------------------------------

5 5

[Bug 205609] New: Errant provide: perl(UNIVERSAL)
by Red Hat Bugzilla 11 Sep '06

11 Sep '06

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205609 Summary: Errant provide: perl(UNIVERSAL) Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: perl-UNIVERSAL-require AssignedTo: tcallawa(a)redhat.com ReportedBy: cweyl(a)alumni.drew.edu QAContact: extras-qa(a)fedoraproject.org CC: extras-qa(a)fedoraproject.org,fedora-perl-devel- list(a)redhat.com This package provides perl(UNIVERSAL), which is properly provided by the base perl package. (This bug is valid for devel also, but BZ won't allow multiple version selections.) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 1

[Bug 205607] New: Errant provide: perl(UNIVERSAL)
by Red Hat Bugzilla 11 Sep '06

11 Sep '06

Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=205607 Summary: Errant provide: perl(UNIVERSAL) Product: Fedora Extras Version: fc5 Platform: All OS/Version: Linux Status: NEW Severity: normal Priority: normal Component: perl-UNIVERSAL-exports AssignedTo: tcallawa(a)redhat.com ReportedBy: cweyl(a)alumni.drew.edu QAContact: extras-qa(a)fedoraproject.org CC: extras-qa(a)fedoraproject.org,fedora-perl-devel- list(a)redhat.com This package provides perl(UNIVERSAL), which is properly provided by the base perl package. (This bug is valid for devel also, but BZ won't allow multiple version selections.) -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

1 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

perl-devel September 2006