[perl-PAR/f16] Fix CVE-2011-4114
by Petr Pisar
commit b45cffe68b4e5e6f1920e5138b4c04c338b07210
Author: Petr Písař <ppisar(a)redhat.com>
Date: Thu Dec 1 15:46:19 2011 +0100
Fix CVE-2011-4114
perl-PAR-1.002-CVE-2011-4114.patch | 89 ++++++++++++++++++++++++++++++++++++
perl-PAR.spec | 10 ++++-
2 files changed, 98 insertions(+), 1 deletions(-)
---
diff --git a/perl-PAR-1.002-CVE-2011-4114.patch b/perl-PAR-1.002-CVE-2011-4114.patch
new file mode 100644
index 0000000..4db8a94
--- /dev/null
+++ b/perl-PAR-1.002-CVE-2011-4114.patch
@@ -0,0 +1,89 @@
+Fix CVE-2011-4114
+
+From: r1305 | rschupp | 2011-11-28 17:39:44 +0100 (Po, 28 lis 2011) | 7 lines
+RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe and
+predictable temporary directories
+- create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
+- if it already exists, check that (and bail out if not)
+ - it's not a symlink
+ - it's mode 0700
+ - it's owned by USER
+
+Petr Pisar: Message wording adjustment from r1316 is included too.
+
+Index: lib/PAR/SetupTemp.pm
+===================================================================
+--- lib/PAR/SetupTemp.pm (revision 1304)
++++ lib/PAR/SetupTemp.pm (revision 1305)
+@@ -5,6 +5,8 @@
+ use strict;
+ use warnings;
+
++use Fcntl ':mode';
++
+ use PAR::SetupProgname;
+
+ =head1 NAME
+@@ -42,8 +44,9 @@
+ }
+
+ my $stmpdir = _get_par_user_tempdir();
++ die "unable to create cache directory" unless $stmpdir;
++
+ require File::Spec;
+- if (defined $stmpdir) { # it'd be quite bad if this was not the case
+ if (!$ENV{PAR_CLEAN} and my $mtime = (stat($PAR::SetupProgname::Progname))[9]) {
+ my $ctx = _get_digester();
+
+@@ -71,8 +74,7 @@
+ }
+
+ $ENV{PAR_TEMP} = $stmpdir;
+- mkdir $stmpdir, 0755;
+- } # end if found a temp dir
++ mkdir $stmpdir, 0700;
+
+ $PARTemp = $1 if defined $ENV{PAR_TEMP} and $ENV{PAR_TEMP} =~ /(.+)/;
+ }
+@@ -98,8 +100,25 @@
+ next unless defined $path and -d $path and -w $path;
+ $temp_path = File::Spec->catdir($path, "par-$username");
+ ($temp_path) = $temp_path =~ /^(.*)$/s;
+- mkdir $temp_path, 0755;
++ unless (mkdir($temp_path, 0700) || $!{EEXIST}) {
++ warn "creation of private subdirectory $temp_path failed (errno=$!)";
++ return;
++ }
+
++ unless ($^O eq 'MSWin32') {
++ my @st;
++ unless (@st = lstat($temp_path)) {
++ warn "stat of private subdirectory $temp_path failed (errno=$!)";
++ return;
++ }
++ if (!S_ISDIR($st[2])
++ || $st[4] != $<
++ || ($st[2] & 0777) != 0700 ) {
++ warn "private subdirectory $temp_path is unsafe";
++ return;
++ }
++ }
++
+ last;
+ }
+ return $temp_path;
+
+
+Index: lib/PAR/SetupTemp.pm
+===================================================================
+--- lib/PAR/SetupTemp.pm (revision 1315)
++++ lib/PAR/SetupTemp.pm (revision 1316)
+@@ -114,7 +114,7 @@
+ if (!S_ISDIR($st[2])
+ || $st[4] != $<
+ || ($st[2] & 0777) != 0700 ) {
+- warn "private subdirectory $temp_path is unsafe";
++ warn "private subdirectory $temp_path is unsafe (please remove it and retry your operation)";
+ return;
+ }
+ }
diff --git a/perl-PAR.spec b/perl-PAR.spec
index 1c98bed..23a6f2a 100644
--- a/perl-PAR.spec
+++ b/perl-PAR.spec
@@ -1,11 +1,13 @@
Name: perl-PAR
Version: 1.002
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: Perl Archive Toolkit
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/PAR/
Source0: http://www.cpan.org/authors/id/S/SM/SMUELLER/PAR-%{version}.tar.gz
+# Fix CVE-2011-4114, bug #760132, included in upstream 1.004.
+Patch0: perl-PAR-1.002-CVE-2011-4114.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: perl(Archive::Zip) >= 1
@@ -23,6 +25,7 @@ libraries from which Perl modules can be loaded.
%prep
%setup -q -n PAR-%{version}
+%patch0 -p0
%build
%{__perl} Makefile.PL INSTALLDIRS=vendor
@@ -39,7 +42,9 @@ find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2>/dev/null \;
%{_fixperms} $RPM_BUILD_ROOT/*
%check
+export TEMP="$(mktemp -d)"
make test
+rm -rf "$TEMP"
%clean
rm -rf $RPM_BUILD_ROOT
@@ -51,6 +56,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man3/*
%changelog
+* Thu Dec 01 2011 Petr Pisar <ppisar(a)redhat.com> - 1.002-5
+- Fix CVE-2011-4114 (insecure temporary directory handling) (bug #760132)
+
* Tue Jul 19 2011 Petr Sabata <contyk(a)redhat.com> - 1.002-4
- Perl mass rebuild
12 years, 6 months
[perl-PAR-Packer] Poke icon cache
by Petr Pisar
commit 732f3f20607882f269ca2e9c3e34d4f41af0836f
Author: Petr Písař <ppisar(a)redhat.com>
Date: Tue Dec 6 11:17:33 2011 +0100
Poke icon cache
perl-PAR-Packer.spec | 18 +++++++++++++++++-
1 files changed, 17 insertions(+), 1 deletions(-)
---
diff --git a/perl-PAR-Packer.spec b/perl-PAR-Packer.spec
index 112659b..14beef8 100644
--- a/perl-PAR-Packer.spec
+++ b/perl-PAR-Packer.spec
@@ -1,6 +1,6 @@
Name: perl-PAR-Packer
Version: 1.012
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: PAR Packager
License: GPL+ or Artistic
Group: Development/Libraries
@@ -82,6 +82,19 @@ desktop-file-install \
%check
make test
+# Sctipts needed for icon cache management
+%post Tk
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+
+%postun Tk
+if [ $1 -eq 0 ] ; then
+ /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
+ /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
+fi
+
+%posttrans Tk
+/usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
+
%files
%doc AUTHORS ChangeLog README TODO
@@ -102,6 +115,9 @@ make test
%changelog
+* Tue Dec 06 2011 Petr Pisar <ppisar(a)redhat.com> - 1.012-2
+- Poke icon cache
+
* Mon Dec 05 2011 Petr Pisar <ppisar(a)redhat.com> - 1.012-1
- 1.012 bump
12 years, 6 months
[perl-SDL] Rebuild for new libpng
by Adam Jackson
commit 1fc9ea411f2c5bef8c17dbfd207b472d1450d891
Author: Adam Jackson <ajax(a)redhat.com>
Date: Tue Dec 6 00:44:22 2011 -0500
Rebuild for new libpng
perl-SDL.spec | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
---
diff --git a/perl-SDL.spec b/perl-SDL.spec
index fb5b50c..4d6ddba 100644
--- a/perl-SDL.spec
+++ b/perl-SDL.spec
@@ -1,6 +1,6 @@
Name: perl-SDL
Version: 2.2.6
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: SDL bindings for the Perl language
Group: Development/Libraries
License: LGPLv2+
@@ -54,6 +54,9 @@ chmod -R u+w $RPM_BUILD_ROOT/*
%changelog
+* Tue Dec 06 2011 Adam Jackson <ajax(a)redhat.com> - 2.2.6-5
+- Rebuild for new libpng
+
* Mon Jul 18 2011 Petr Sabata <contyk(a)redhat.com> - 2.2.6-4
- Perl mass rebuild
12 years, 6 months
[perl-PAR-Packer] Build-requires test-time dependencies
by Petr Pisar
commit 5a56f49da809e56dd52bb9c31eea384ade09417d
Author: Petr Písař <ppisar(a)redhat.com>
Date: Mon Dec 5 18:23:11 2011 +0100
Build-requires test-time dependencies
perl-PAR-Packer.spec | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
---
diff --git a/perl-PAR-Packer.spec b/perl-PAR-Packer.spec
index 38ea430..112659b 100644
--- a/perl-PAR-Packer.spec
+++ b/perl-PAR-Packer.spec
@@ -18,6 +18,10 @@ BuildRequires: perl(IO::Compress::Gzip)
BuildRequires: perl(Module::ScanDeps) >= 1.05
BuildRequires: perl(PAR) >= 1.005
BuildRequires: perl(PAR::Dist) >= 0.22
+# Tests:
+BuildRequires: perl(Test::More)
+BuildRequires: perl(File::Path)
+BuildRequires: perl(File::Spec)
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Requires: perl(Archive::Zip) >= 1
Requires: perl(Compress::Zlib) >= 1.3
12 years, 6 months
[perl-PAR-Packer] 1.012 bump
by Petr Pisar
commit b369a1e4c550f49936b3e353008a437159abb400
Author: Petr Písař <ppisar(a)redhat.com>
Date: Mon Dec 5 18:06:25 2011 +0100
1.012 bump
PAR_GLOBAL_TMPDIR does need to be set at build and check time since
this version.
.gitignore | 1 +
.rpmlint | 3 +++
perl-PAR-Packer.spec | 19 +++++++++----------
sources | 2 +-
4 files changed, 14 insertions(+), 11 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index cf0c693..d5f9259 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ PAR-Packer-1.005.tar.gz
/PAR-Packer-1.009.tar.gz
/PAR-Packer-1.010.tar.gz
/PAR-Packer-1.011.tar.gz
+/PAR-Packer-1.012.tar.gz
diff --git a/.rpmlint b/.rpmlint
new file mode 100644
index 0000000..128deb5
--- /dev/null
+++ b/.rpmlint
@@ -0,0 +1,3 @@
+from Config import *
+addFilter("spelling-error .* (Backend|executables|Tkpp)");
+addFilter("strange-permission extract_icon 0775L");
diff --git a/perl-PAR-Packer.spec b/perl-PAR-Packer.spec
index 2071588..38ea430 100644
--- a/perl-PAR-Packer.spec
+++ b/perl-PAR-Packer.spec
@@ -1,5 +1,5 @@
Name: perl-PAR-Packer
-Version: 1.011
+Version: 1.012
Release: 1%{?dist}
Summary: PAR Packager
License: GPL+ or Artistic
@@ -16,7 +16,7 @@ BuildRequires: perl(File::Temp) >= 0.05
BuildRequires: perl(Getopt::ArgvFile) >= 1.07
BuildRequires: perl(IO::Compress::Gzip)
BuildRequires: perl(Module::ScanDeps) >= 1.05
-BuildRequires: perl(PAR) >= 1.004
+BuildRequires: perl(PAR) >= 1.005
BuildRequires: perl(PAR::Dist) >= 0.22
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Requires: perl(Archive::Zip) >= 1
@@ -25,7 +25,7 @@ Requires: perl(File::Temp) >= 0.05
Requires: perl(Getopt::ArgvFile) >= 1.07
Requires: perl(IO::Compress::Gzip)
Requires: perl(Module::ScanDeps) >= 1.05
-Requires: perl(PAR) >= 1.004
+Requires: perl(PAR) >= 1.005
Requires: perl(PAR::Dist) >= 0.22
# Remove under-specified dependencies
@@ -45,7 +45,7 @@ Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $versi
Requires: perl(ExtUtils::MakeMaker)
%description Tk
-Tkpp is a GUI frontend to pp, which can turn perl scripts into standalone
+Tkpp is a GUI front-end to pp, which can turn perl scripts into standalone
PAR files, perl scripts or executables.
@@ -57,8 +57,7 @@ PAR files, perl scripts or executables.
# DEBUG variable needed to disable stripping binary
DEBUG=1 %{__perl} Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"
# The Makefile is not parallel-safe.
-# PAR_GLOBAL_TEMP seems to be needed for the build.
-make PAR_GLOBAL_TEMP=/var/tmp
+make
%install
@@ -77,10 +76,7 @@ desktop-file-install \
%check
-export PAR_GLOBAL_TEMP=/var/tmp
-#export PAR_GLOBAL_TMPDIR=/var/tmp
-## does not pass
-# make test PERL_TEST_POD=1 || :
+make test
%files
@@ -102,6 +98,9 @@ export PAR_GLOBAL_TEMP=/var/tmp
%changelog
+* Mon Dec 05 2011 Petr Pisar <ppisar(a)redhat.com> - 1.012-1
+- 1.012 bump
+
* Fri Dec 02 2011 Petr Pisar <ppisar(a)redhat.com> - 1.011-1
- 1.011 bump (fixes CVE-2011-4114)
- Specify run-time dependencies versions
diff --git a/sources b/sources
index 3e07996..1ea576f 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-b26a703a6e9ddf0268d1490d602a9094 PAR-Packer-1.011.tar.gz
+40726da9a462b13590b80c24767d3857 PAR-Packer-1.012.tar.gz
12 years, 6 months
[perl-PAR-Packer] 1.011 bump
by Petr Pisar
commit 46ded8a3a9246211cc7db2a597486adb7a9384a1
Author: Petr Písař <ppisar(a)redhat.com>
Date: Mon Dec 5 16:38:08 2011 +0100
1.011 bump
And sub-package Tk application.
.gitignore | 1 +
extract_icon | 28 ++++++++++++++++++++++
perl-PAR-Packer.spec | 64 ++++++++++++++++++++++++++++++++++++++++++++-----
sources | 2 +-
tkpp.desktop | 9 +++++++
5 files changed, 96 insertions(+), 8 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 995ab78..cf0c693 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ PAR-Packer-1.005.tar.gz
/PAR-Packer-1.008.tar.gz
/PAR-Packer-1.009.tar.gz
/PAR-Packer-1.010.tar.gz
+/PAR-Packer-1.011.tar.gz
diff --git a/extract_icon b/extract_icon
new file mode 100755
index 0000000..13fa515
--- /dev/null
+++ b/extract_icon
@@ -0,0 +1,28 @@
+#!/usr/bin/perl
+
+# Copyright 2011 Petr Písař <ppisar(a)redhat.com>.
+# This tool is licensed under the terms of GNU GPL version 3 or any later.
+
+use strict;
+use warnings;
+
+my $gif;
+
+while (<>) {
+ chomp;
+ if (/\A[^#]*my\s+\$icon_gif\s+=/) {
+ $gif = '';
+ next;
+ }
+ if (defined $gif && /\A\./) {
+ last;
+ }
+ if (defined $gif) {
+ $gif .= $_;
+ }
+}
+
+if (! defined $gif) { exit 1; }
+
+use MIME::Base64;
+print decode_base64($gif);
diff --git a/perl-PAR-Packer.spec b/perl-PAR-Packer.spec
index a3299c1..2071588 100644
--- a/perl-PAR-Packer.spec
+++ b/perl-PAR-Packer.spec
@@ -1,11 +1,13 @@
Name: perl-PAR-Packer
-Version: 1.010
-Release: 2%{?dist}
+Version: 1.011
+Release: 1%{?dist}
Summary: PAR Packager
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/PAR-Packer/
Source0: http://www.cpan.org/authors/id/R/RS/RSCHUPP/PAR-Packer-%{version}.tar.gz
+Source1: extract_icon
+Source2: tkpp.desktop
BuildRequires: perl(Archive::Zip) >= 1
BuildRequires: perl(Compress::Zlib) >= 1.3
BuildRequires: perl(ExtUtils::MakeMaker)
@@ -13,18 +15,44 @@ BuildRequires: perl(ExtUtils::Embed)
BuildRequires: perl(File::Temp) >= 0.05
BuildRequires: perl(Getopt::ArgvFile) >= 1.07
BuildRequires: perl(IO::Compress::Gzip)
-BuildRequires: perl(Module::ScanDeps) >= 1.01
-BuildRequires: perl(PAR) >= 1.000
+BuildRequires: perl(Module::ScanDeps) >= 1.05
+BuildRequires: perl(PAR) >= 1.004
BuildRequires: perl(PAR::Dist) >= 0.22
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+Requires: perl(Archive::Zip) >= 1
+Requires: perl(Compress::Zlib) >= 1.3
+Requires: perl(File::Temp) >= 0.05
+Requires: perl(Getopt::ArgvFile) >= 1.07
+Requires: perl(IO::Compress::Gzip)
+Requires: perl(Module::ScanDeps) >= 1.05
+Requires: perl(PAR) >= 1.004
+Requires: perl(PAR::Dist) >= 0.22
+
+# Remove under-specified dependencies
+%global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\(Archive::Zip|File::Temp|Getopt::ArgvFile|Module::ScanDeps|PAR\\)\\s*$
%description
This module implements the App::Packer::Backend interface, for generating
stand-alone executables, perl scripts and PAR files.
+%package Tk
+Summary: Front-end to pp written in Perl/Tk
+BuildArch: noarch
+BuildRequires: desktop-file-utils
+BuildRequires: perl(MIME::Base64)
+Requires: %{name} = %{version}-%{release}
+Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+Requires: perl(ExtUtils::MakeMaker)
+
+%description Tk
+Tkpp is a GUI frontend to pp, which can turn perl scripts into standalone
+PAR files, perl scripts or executables.
+
+
%prep
%setup -q -n PAR-Packer-%{version}
+
%build
# DEBUG variable needed to disable stripping binary
DEBUG=1 %{__perl} Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"
@@ -32,20 +60,29 @@ DEBUG=1 %{__perl} Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"
# PAR_GLOBAL_TEMP seems to be needed for the build.
make PAR_GLOBAL_TEMP=/var/tmp
+
%install
make pure_install PERL_INSTALL_ROOT=%{buildroot}
find %{buildroot} -type f -name .packlist -exec rm -f {} \;
find %{buildroot} -type f -name '*.bs' -size 0 -exec rm -f {} \;
find %{buildroot} -depth -type d -exec rmdir {} 2>/dev/null \;
-
%{_fixperms} %{buildroot}/*
+# Install desktop file
+%{SOURCE1} < script/tkpp > tkpp.gif
+install -m644 -D tkpp.gif \
+ $RPM_BUILD_ROOT/%{_datadir}/icons/hicolor/32x32/apps/tkpp.gif
+desktop-file-install \
+ --dir=${RPM_BUILD_ROOT}%{_datadir}/applications %{SOURCE2}
+
+
%check
export PAR_GLOBAL_TEMP=/var/tmp
#export PAR_GLOBAL_TMPDIR=/var/tmp
## does not pass
# make test PERL_TEST_POD=1 || :
+
%files
%doc AUTHORS ChangeLog README TODO
%{perl_vendorlib}/*
@@ -53,11 +90,24 @@ export PAR_GLOBAL_TEMP=/var/tmp
%{_bindir}/parl
%{_bindir}/parldyn
%{_bindir}/pp
-%{_bindir}/tkpp
-%{_mandir}/man1/*.1.gz
+%{_mandir}/man1/*.1.*
+%exclude %{_mandir}/man1/tkpp.1.*
%{_mandir}/man3/*
+%files Tk
+%{_bindir}/tkpp
+%{_mandir}/man1/tkpp.1.*
+%{_datadir}/applications/tkpp.desktop
+%{_datadir}/icons/hicolor/32x32/apps/tkpp.gif
+
+
%changelog
+* Fri Dec 02 2011 Petr Pisar <ppisar(a)redhat.com> - 1.011-1
+- 1.011 bump (fixes CVE-2011-4114)
+- Specify run-time dependencies versions
+- Sub-package tkpp into perl-PAR-Packer-Tk
+- Create Free Desktop menu entry
+
* Tue Jul 19 2011 Petr Sabata <contyk(a)redhat.com> - 1.010-2
- Perl mass rebuild
diff --git a/sources b/sources
index 3db8597..3e07996 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-ee57def445e3d917d48cbf3a52813b54 PAR-Packer-1.010.tar.gz
+b26a703a6e9ddf0268d1490d602a9094 PAR-Packer-1.011.tar.gz
diff --git a/tkpp.desktop b/tkpp.desktop
new file mode 100644
index 0000000..3dc688e
--- /dev/null
+++ b/tkpp.desktop
@@ -0,0 +1,9 @@
+[Desktop Entry]
+Name=Tkpp
+GenericName=Perl Archive Writer
+Comment=Front-end to pp written in Perl/Tk
+Exec=tkpp
+Icon=tkpp
+Terminal=false
+Type=Application
+Categories=Development;Building;
12 years, 6 months