[Bug 751886] CVE-2011-4115 perl-Parallel-ForkManager: insecure temporary file usage
by Red Hat Bugzilla
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=751886
--- Comment #2 from Jason Tibbitts <tibbs(a)math.uh.edu> 2011-11-08 19:09:43 EST ---
Guess I should comment here instead of in one of the tracking bugs.
Bottom line is that this has been open upstream since May:
https://rt.cpan.org/Public/Bug/Display.html?id=68298
As far as I can tell, upstream is completely unresponsive; there have been no
comments to pretty much any of the bugs open on all of his packages on CPAN.
So far my searching hasn't turned up any patches from any other distro, but
it's always possible that I'm missing something. I'm not really up on the
current state of cross-distro security collaboration so if anyone has any
guidance, I'd be happy to hear it.
Packages requiring this one:
netdisco
perl-FusionInventory-Agent-Task-NetDiscovery
perl-FusionInventory-Agent-Task-SNMPQuery
Honestly at this point I'd really like to just drop it from the distro, but
that may not be an option. What remains is to fix it, but that doesn't appear
trivial.
The module uses files in /tmp for communication between the master process and
its children. The children write out a file with a predictable name and the
master knows where to look for data when a child exits. You can't randomize
the name because the predictability is important to how things work.
The master could pass a random name, in the environment or something, but that
still gives an attacker plenty of time to get in there and predict the filename
that will be used, create it, and do various
The master could pass an open file handle or something, but that changes the
API.
I wonder if it would be sufficient to create a random mode 700 directory in
/tmp and just use that. Honestly I'm no security expert and I certainly don't
want to attempt a fix that doesn't actually help. I've tried that before and
found that the experts generally get rather derisive when you say you've fixed
something but they can still find a problem with it.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
12 years, 7 months
Broken dependencies: perl-Pugs-Compiler-Rule
by Fedora Koji Build System
perl-Pugs-Compiler-Rule has broken dependencies in the rawhide tree:
On x86_64:
perl-Pugs-Compiler-Rule-0.37-9.fc16.noarch requires perl(:MODULE_COMPAT_5.12.3)
On i386:
perl-Pugs-Compiler-Rule-0.37-9.fc16.noarch requires perl(:MODULE_COMPAT_5.12.3)
Please resolve this as soon as possible.
12 years, 7 months
[perl-Net-Lite-FTP] Initial import (#730495).
by Sébastien Willmann
commit db08c02ad13b0b6105800fedce667b747761409d
Author: Sébastien Willmann <Sébastien Willmann sebastien.willmann(a)gmail.com>
Date: Tue Nov 8 23:00:58 2011 +0100
Initial import (#730495).
.gitignore | 1 +
perl-Net-Lite-FTP.spec | 58 ++++++++++++++++++++++++++++++++++++++++++++++++
sources | 1 +
3 files changed, 60 insertions(+), 0 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e69de29..fbe7639 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/Net-Lite-FTP-0.61.tar.gz
diff --git a/perl-Net-Lite-FTP.spec b/perl-Net-Lite-FTP.spec
new file mode 100644
index 0000000..a881b27
--- /dev/null
+++ b/perl-Net-Lite-FTP.spec
@@ -0,0 +1,58 @@
+Name: perl-Net-Lite-FTP
+Version: 0.61
+Release: 3%{?dist}
+Summary: Perl FTP client with support for TLS
+BuildArch: noarch
+
+License: GPL+ or Artistic
+URL: http://search.cpan.org/dist/Net-Lite-FTP/
+Source0: http://search.cpan.org/CPAN/authors/id/E/EY/EYCK/Net-Lite-FTP-%{version}....
+
+BuildRequires: perl(ExtUtils::MakeMaker) perl(Test::More) perl(Net::SSLeay)
+Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+
+%{?perl_default_filter}
+
+%description
+Very simple FTP client with support for TLS
+
+
+%prep
+%setup -q -n Net-Lite-FTP-%{version}
+
+
+%build
+%{__perl} Makefile.PL INSTALLDIRS=vendor
+make %{?_smp_mflags}
+
+
+%install
+make pure_install DESTDIR=$RPM_BUILD_ROOT
+find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} ';'
+find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2>/dev/null ';'
+%{_fixperms} $RPM_BUILD_ROOT/*
+
+
+%check
+make test
+
+
+%files
+%doc Changes README
+# For noarch packages: vendorlib
+%{perl_vendorlib}/*
+%{_mandir}/man3/*.3*
+
+%changelog
+* Tue Aug 16 2011 Sébastien Willmann <sebastien.willmann(a)gmail.com> - 0.61-3
+- Removed uneeded line in build
+
+* Mon Aug 15 2011 Sébastien Willmann <sebastien.willmann(a)gmail.com> - 0.61-2
+- Removed uneeded parts
+
+* Sat Aug 13 2011 Sébastien Willmann <sebastien.willmann(a)gmail.com> - 0.61-1
+- Changed to version 0.61 and added doc files
+
+* Sat Aug 13 2011 Sébastien Willmann <sebastien.willmann(a)gmail.com> - 0.54-1
+- Spec file creation
+
diff --git a/sources b/sources
index e69de29..9027a0e 100644
--- a/sources
+++ b/sources
@@ -0,0 +1 @@
+0d28b38303d4113f098428c3058d4838 Net-Lite-FTP-0.61.tar.gz
12 years, 7 months
[perl-Sys-Virt] Update to 0.9.7 release
by Daniel P. Berrange
commit 53682dbcc997421e1ecb48e5bd9796a5b226c8f3
Author: Daniel P. Berrange <berrange(a)redhat.com>
Date: Tue Nov 8 21:07:02 2011 +0000
Update to 0.9.7 release
Sys-Virt-0.9.5-open-console.patch | 52 -------------------------------------
perl-Sys-Virt.spec | 11 ++++---
sources | 2 +-
3 files changed, 7 insertions(+), 58 deletions(-)
---
diff --git a/perl-Sys-Virt.spec b/perl-Sys-Virt.spec
index 56df207..2eeb1b6 100644
--- a/perl-Sys-Virt.spec
+++ b/perl-Sys-Virt.spec
@@ -1,18 +1,17 @@
Name: perl-Sys-Virt
-Version: 0.9.5
-Release: 2%{?dist}
+Version: 0.9.7
+Release: 1%{?dist}
Summary: Represent and manage a libvirt hypervisor connection
License: GPLv2+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/Sys-Virt/
Source0: http://www.cpan.org/authors/id/D/DA/DANBERR/Sys-Virt-%{version}.tar.gz
-Patch1: Sys-Virt-%{version}-open-console.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(Test::Pod)
BuildRequires: perl(Test::Pod::Coverage)
BuildRequires: perl(XML::XPath)
-BuildRequires: libvirt-devel >= 0.9.5
+BuildRequires: libvirt-devel >= 0.9.7
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
%description
@@ -22,7 +21,6 @@ virtualization containers to be managed with a consistent API.
%prep
%setup -q -n Sys-Virt-%{version}
-%patch1 -p1
sed -i -e '/Sys-Virt\.spec/d' Makefile.PL
sed -i -e '/\.spec\.PL$/d' MANIFEST
@@ -57,6 +55,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man3/*
%changelog
+* Tue Nov 8 2011 Daniel P. Berrange <berrange(a)redhat.com> - 0.9.7-1
+- Update to 0.9.7 release
+
* Mon Oct 17 2011 Daniel P. Berrange <berrange(a)redhat.com> - 0.9.5-2
- Add binding for virDomainOpenConsole
diff --git a/sources b/sources
index 386ca3a..c3c07be 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-bf73d3260a2c355037a97936a24c28e7 Sys-Virt-0.9.5.tar.gz
+cd72f727fd4d423bd37850b96677e1e1 Sys-Virt-0.9.7.tar.gz
12 years, 7 months
[perl-JSON-RPC/f16] Apply changes in Rawhide branch to the F16 branch
by Emmanuel Seyman
commit 4cadd72b1e1fa3bad80ea207fab6820f2d97685f
Author: Emmanuel Seyman <emmanuel.seyman(a)club-internet.fr>
Date: Mon Nov 7 23:28:39 2011 +0100
Apply changes in Rawhide branch to the F16 branch
perl-JSON-RPC.spec | 31 +++++++++++++++++++++++--------
1 files changed, 23 insertions(+), 8 deletions(-)
---
diff --git a/perl-JSON-RPC.spec b/perl-JSON-RPC.spec
index eb0b0a4..80ce9bc 100644
--- a/perl-JSON-RPC.spec
+++ b/perl-JSON-RPC.spec
@@ -1,12 +1,11 @@
Name: perl-JSON-RPC
Version: 0.96
-Release: 9%{?dist}
+Release: 10%{?dist}
Summary: Perl implementation of JSON-RPC 1.1 protocol
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/JSON-RPC/
Source0: http://www.cpan.org/authors/id/M/MA/MAKAMAKA/JSON-RPC-%{version}.tar.gz
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: perl(CGI) >= 2.92
BuildRequires: perl(ExtUtils::MakeMaker)
@@ -26,6 +25,16 @@ protocol for inter-networking applications over HTTP. It uses JSON as the
data format for of all facets of a remote procedure call, including all
application data carried in parameters.
+
+%package server
+Summary: The server part of JSON::RPC
+
+%description server
+JSON-RPC is a stateless and light-weight remote procedure call (RPC)
+protocol for inter-networking applications over HTTP. It uses JSON as the
+data format for of all facets of a remote procedure call, including all
+application data carried in parameters. This is a server-side implementation.
+
%prep
%setup -q -n JSON-RPC-%{version}
@@ -38,7 +47,6 @@ make %{?_smp_mflags}
%install
rm ex/MyApp.pm
-rm -rf $RPM_BUILD_ROOT
make pure_install PERL_INSTALL_ROOT=$RPM_BUILD_ROOT
@@ -50,16 +58,23 @@ find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2>/dev/null \;
%check
make test
-%clean
-rm -rf $RPM_BUILD_ROOT
-
%files
-%defattr(-,root,root,-)
%doc Changes ex README
-%{perl_vendorlib}/*
+%{perl_vendorlib}/JSON/RPC.pm
+%{perl_vendorlib}/JSON/RPC/Client.pm
+%{perl_vendorlib}/JSON/RPC/Procedure.pm
+%{perl_vendorlib}/JSONRPC.pm
%{_mandir}/man3/*
+%files server
+%{perl_vendorlib}/JSON/RPC/Server
+%{perl_vendorlib}/JSON/RPC/Server.pm
+
%changelog
+* Thu Oct 27 2011 Emmanuel Seyman <emmanuel.seyman(a)club-internet.fr> - 0.96-10
+- Split out the server part in its own sub-package
+- Tidy up the spec file
+
* Tue Jul 19 2011 Petr Sabata <contyk(a)redhat.com> - 0.96-9
- Perl mass rebuild
12 years, 7 months