[Bug 1238804] New: /usr/bin/perl is not linked with -z now
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1238804
Bug ID: 1238804
Summary: /usr/bin/perl is not linked with -z now
Product: Fedora
Version: rawhide
Component: perl
Assignee: jplesnik(a)redhat.com
Reporter: ppisar(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: cweyl(a)alumni.drew.edu, iarnell(a)gmail.com,
jplesnik(a)redhat.com, kasal(a)ucw.cz,
perl-devel(a)lists.fedoraproject.org, ppisar(a)redhat.com,
psabata(a)redhat.com, rc040203(a)freenet.de,
tcallawa(a)redhat.com
/usr/bin/perl is not linked with -z now. The -z now is defined by
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld:
gcc -o libperl.so -shared -O2 -g -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wl,-z,relro
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L/usr/local/lib -Wl,-soname
-Wl,libperl.so.5.22 op.o perl.o gv.o toke.o perly.o pad.o regcomp.o dump.o
util.o mg.o reentr.o mro_core.o keywords.o hv.o av.o run.o pp_hot.o sv.o pp.o
scope.o pp_ctl.o pp_sys.o doop.o doio.o regexec.o utf8.o taint.o deb.o
universal.o globals.o perlio.o perlapi.o numeric.o mathoms.o locale.o pp_pack.o
pp_sort.o caretx.o perldtrace.o DynaLoader.o -lpthread -lresolv -lnsl -ldl -lm
-lcrypt -lutil -lc
Processing extracted/DCombiningClass.txt
Processing extracted/DNumType.txt
gcc -o perl -fstack-protector-strong -L/usr/local/lib -Wl,--enable-new-dtags
perlmain.o libperl.so `cat ext.libs` -lpthread -lresolv -lnsl -ldl -lm -lcrypt
-lutil -lc
The reason is we configure perl as:
/bin/sh Configure -des -Doptimize="$RPM_OPT_FLAGS" \
-Dccdlflags="-Wl,--enable-new-dtags" \
-Dlddlflags="-shared $RPM_OPT_FLAGS $RPM_LD_FLAGS" \
The $RPM_LD_FLAGS should go into ccdlflags too. ccdlflags is for linking
programs dynamycally, lddlflags if for linking libraries dynamically.
Configure supports ldflags, but I worry this is has to be actively used by
Makefile.PLs, so it is not much helpful.
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 8 months
[Bug 1354386] New: CVE-2016-6185 perl:
XSLoader loads relative paths not included in @INC
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1354386
Bug ID: 1354386
Summary: CVE-2016-6185 perl: XSLoader loads relative paths not
included in @INC
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: cweyl(a)alumni.drew.edu, hhorak(a)redhat.com,
iarnell(a)gmail.com, jorton(a)redhat.com,
jplesnik(a)redhat.com, kasal(a)ucw.cz,
perl-devel(a)lists.fedoraproject.org,
perl-maint-list(a)redhat.com, ppisar(a)redhat.com,
psabata(a)redhat.com, rc040203(a)freenet.de,
rmeggins(a)redhat.com, tcallawa(a)redhat.com
An arbitrary code execution can be achieved if loading code from untrusted
current working directory despite the '.' is removed from @INC. Vulnerability
is in XSLoader that uses caller() information to locate .so file to load. If
malicious attacker creates directory named `(eval 1)` with malicious binary
file in it, it will be loaded if the package calling XSLoader is in parent
directory.
CVE assignment:
http://seclists.org/oss-sec/2016/q3/28
Upstream bug:
https://rt.cpan.org/Public/Bug/Display.html?id=115808
Upstream patch:
http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 8 months
[Bug 1372923] New: Package modified in Fedora exhibits bad behavior
when /
etc/localtime is old
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1372923
Bug ID: 1372923
Summary: Package modified in Fedora exhibits bad behavior when
/etc/localtime is old
Product: Fedora
Version: 23
Component: perl-DateTime-TimeZone
Assignee: jplesnik(a)redhat.com
Reporter: don(a)beusee.com
QA Contact: extras-qa(a)fedoraproject.org
CC: iarnell(a)gmail.com, jplesnik(a)redhat.com,
perl-devel(a)lists.fedoraproject.org
Description of problem:
I was on FC20 at some point, and upgraded to FC23. I hadn't noticed until now
that my /etc/localtime was a copy and not a symlink of the Los_Angeles zoneinfo
file. So this means my /etc/localtime file is from FC20, even though I'm on
FC23. This causes problems with DateTime::TimeZone package. I have this test
perl program:
#!/usr/bin/perl
use DateTime::TimeZone;
print "DateTime::TimeZone::VERSION=" . $DateTime::TimeZone::VERSION . "\n";
my $ltz = DateTime::TimeZone->new(name => 'local');
print "\n$ltz\n";
print "tz offset=" . $ltz->offset_as_string(-25200) . "\n";
On my system, this program generates the following output:
[root@pp10 ~]# perl test.pl
DateTime::TimeZone::VERSION=2.01
DateTime::TimeZone::Tzfile=HASH(0x1222668)
Can't locate object method "offset_as_string" via package
"DateTime::TimeZone::Tzfile" at test.pl line 26.
[root@pp10 ~]#
Note that DateTime::TimeZone->new(name => 'local') returned a
DateTime::TimeZone::Tzfile object. I contacted the maintainer of
DateTime::TimeZone, and he assured me this is impossible. He said this package
was modified, and it turns out he's right. The package from CPAN gives the
expected result (proper error message) with the FC20 localtime file. With a
FC23 localtime file, it also works fine (I get Los_Angeles object with offset
-0700 reported by the program). I don't know why this package is modified
under the Fedora project. I debugged, and found the problem to be in the
/usr/share/perl5/vendor_perl/DateTime/TimeZone/Local/Unix.pm file. Unix.pm has
code not found in the CPAN version, so it is from the Fedora project.
Version-Release number of selected component (if applicable):
perl-DateTime-TimeZone-2.01-1.fc23.noarch
How reproducible:
Steps to Reproduce:
1. Copy /etc/localtime from an FC20 system to an FC23 system.
2. Run the above test perl program.
Actual results:
DateTime::TimeZone::Tzfile=HASH(0x1222668)
Can't locate object method "offset_as_string" via package
"DateTime::TimeZone::Tzfile" at test.pl line 26.
Expected results:
Cannot determine local time zone
Additional info:
The package from CPAN gives the expected result (proper error message) with the
FC20 localtime file. With a FC23 localtime file, it also works fine (I get
Los_Angeles object with offset -0700 reported by the program).
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 8 months
[Bug 1259386] New: perl-XML-Merge-1.2.565EgGd-20.fc24 FTBFS: Can't convert '1.12.B55J2qn': Invalid version format (non-numeric data)
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1259386
Bug ID: 1259386
Summary: perl-XML-Merge-1.2.565EgGd-20.fc24 FTBFS: Can't
convert '1.12.B55J2qn': Invalid version format
(non-numeric data)
Product: Fedora
Version: rawhide
Component: perl-XML-Merge
Assignee: xavier(a)bachelot.org
Reporter: ppisar(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: perl-devel(a)lists.fedoraproject.org,
xavier(a)bachelot.org
perl-XML-Merge-1.2.565EgGd-20.fc24 fails to build in F24:
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.oC1E58
+ umask 022
+ cd /builddir/build/BUILD
+ cd XML-Merge-1.2.565EgGd
+ /usr/bin/perl Makefile.PL INSTALLDIRS=vendor
Can't convert '1.12.B55J2qn': Invalid version format (non-numeric data)
Checking if your kit is complete...
Looks good
error: Bad exit status from /var/tmp/rpm-tmp.oC1E58 (%build)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.oC1E58 (%build)
Difference between working and failing build root:
perl-ExtUtils-MakeMaker 7.04-346.fc23 > 7.06-2.fc24
perl-ExtUtils-Command 1.20-346.fc23 > 7.06-2.fc24
glib2 2.45.6-1.fc24 > 2.45.7-1.fc24
python3-dnf-plugins-core 0.1.10-1.fc24 > 0.1.11-1.fc24
dnf-plugins-core 0.1.10-1.fc24 > 0.1.11-1.fc24
libgpg-error 1.19-2.fc23 > 1.20-1.fc24
gdb 7.10-15.fc24 > 7.10-16.fc24
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 8 months
[Bug 1224294] New: perl-OpenGL-0.6702-4.fc23 FTBFS: undefined symbol: glWindowPos4dMESA
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1224294
Bug ID: 1224294
Summary: perl-OpenGL-0.6702-4.fc23 FTBFS: undefined symbol:
glWindowPos4dMESA
Product: Fedora
Version: rawhide
Component: perl-OpenGL
Assignee: lkundrak(a)v3.sk
Reporter: ppisar(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: filip(a)andresovi.net, lkundrak(a)v3.sk,
perl-devel(a)lists.fedoraproject.org, scenek(a)gmail.com
perl-OpenGL-0.6702-4.fc23 fails to build in F23 because tests fail on linking
with Mesa OpenGL library:
+ make test
"/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef
*Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
# Failed test 'require OpenGL;'
# at t/00_require.t line 3.
# Tried to require 'OpenGL'.
# Error: Can't load
'/builddir/build/BUILD/OpenGL-0.6702/blib/arch/auto/OpenGL/OpenGL.so' for
module OpenGL:
/builddir/build/BUILD/OpenGL-0.6702/blib/arch/auto/OpenGL/OpenGL.so: undefined
symbol: glWindowPos4dMESA at /usr/lib64/perl5/DynaLoader.pm line 193.
# at (eval 4) line 2.
# Compilation failed in require at (eval 4) line 2.
# Looks like you failed 1 test of 1.
t/00_require.t .......
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/1 subtests
This is caused by upgrading mesa-libGL-devel from 10.6.0-0.devel.5.51e3453 to
10.6.0-0.devel.6.5a55f68.
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 8 months
[Bug 984185] New: perl should be a hardened build
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=984185
Bug ID: 984185
Summary: perl should be a hardened build
Product: Fedora
Version: 18
Component: perl
Severity: unspecified
Priority: unspecified
Assignee: mmaslano(a)redhat.com
Reporter: h.reindl(a)thelounge.net
QA Contact: extras-qa(a)fedoraproject.org
CC: cweyl(a)alumni.drew.edu, iarnell(a)gmail.com,
jplesnik(a)redhat.com, kasal(a)ucw.cz,
mmaslano(a)redhat.com,
perl-devel(a)lists.fedoraproject.org, ppisar(a)redhat.com,
psabata(a)redhat.com, rc040203(a)freenet.de,
tcallawa(a)redhat.com
perl is often used for long running services (mailgraph, smokeping, postgrey..)
as well as called from webservers with untrusted input
so it should be "Full RELRO" and PIE
http://fedoraproject.org/wiki/Packaging:Guidelines#PIE
______________________________________________________
If your package meets any of the following criteria you MUST enable the PIE
compiler flags:
Your package is long running. This means it's likely to be started and keep
running until the machine is rebooted, not start on demand and quit on idle.
Your package has suid binaries, or binaries with capabilities.
Your package runs as root.
If your package meets the following criteria you should consider enabling the
PIE compiler flags:
Your package accepts/processes untrusted input.
______________________________________________________
[root@srv-rhsoft:~]$ checksec --file /usr/bin/perl
RELRO STACK CANARY NX PIE RPATH
RUNPATH FILE
Partial RELRO Canary found NX enabled No PIE RPATH
RUNPATH /usr/bin/perl
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=YABEZK214w&a=cc_unsubscribe
6 years, 8 months
[Bug 1373410] New: Please port to WebKit2
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1373410
Bug ID: 1373410
Summary: Please port to WebKit2
Product: Fedora
Version: rawhide
Component: perl-Gtk3-WebKit
Assignee: ddick(a)cpan.org
Reporter: rhbz(a)genodeftest.de
QA Contact: extras-qa(a)fedoraproject.org
CC: ddick(a)cpan.org, perl-devel(a)lists.fedoraproject.org
Description of problem:
Currently, perl-Gtk3-WebKit is based on webkitgtk3, which is WebKit1 on Gtk3.
There are plans to remove WebKit1 from Fedora 27+ [1].
Version-Release number of selected component (if applicable):
all current versions
How reproducible:
always
Actual results:
perl-Gtk3-WebKit is compiled against webkitgtk3(-devel)
Expected results:
perl-Gtk3-WebKit should be compiled against webkitgtk4(-devel)
Additional info:
In case the API differs too much you might want to add another package, e.g.
named perl-Gtk3-WebKit2, which is compiled against webkitgtk4(-devel) and
deprecate the old one.
[1] See
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.o...
and a mass bug filing announcement on
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.o...
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 8 months
[Bug 1265922] New: amavisd and clamav dependencies
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1265922
Bug ID: 1265922
Summary: amavisd and clamav dependencies
Product: Fedora EPEL
Version: epel7
Component: amavisd-new
Severity: low
Assignee: j.orti.alcaine(a)gmail.com
Reporter: sistemisti-posta(a)csi.it
QA Contact: extras-qa(a)fedoraproject.org
CC: janfrode(a)tanso.net, j.orti.alcaine(a)gmail.com,
perl-devel(a)lists.fedoraproject.org, steve(a)silug.org,
vanmeeuwen+fedora(a)kolabsys.com
Description of problem:
I have amavisd-new without local clamd server, because I configured it remotely
through instream protocol.
I very appreciate if you could leave clamav and altermime dependencies.
Version-Release number of selected component (if applicable):
amavisd-new-2.10.1-4.el7
Now I forcedly removed clamav, but it is not good:
** Found 3 pre-existing rpmdb problem(s), 'yum check' output follows:
amavisd-new-2.10.1-4.el7.noarch has missing requires of altermime
amavisd-new-2.10.1-4.el7.noarch has missing requires of clamav-server
amavisd-new-2.10.1-4.el7.noarch has missing requires of clamav-server-systemd
Thanks a lot
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 9 months
[Bug 1399246] New: wrong permission on
/usr/share/doc/perl-Mail-SPF/bin/
spfquery
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1399246
Bug ID: 1399246
Summary: wrong permission on
/usr/share/doc/perl-Mail-SPF/bin/spfquery
Product: Fedora
Version: 24
Component: perl-Mail-SPF
Severity: medium
Assignee: jpazdziora(a)redhat.com
Reporter: customercare(a)resellerdesktop.de
QA Contact: extras-qa(a)fedoraproject.org
CC: jpazdziora(a)redhat.com, nb(a)fedoraproject.org,
perl-devel(a)lists.fedoraproject.org, steve(a)silug.org
Description of problem:
/usr/share/doc/perl-Mail-SPF/bin/spfquery comes with root executeable
permissions.
If it shall be used by exim or any other non-root mailserver, it needs o+x or
g+x and a new group with exim etc.
Eitherway those "temporary" Solutions by admins get deleted with an
update/upgrade of the package.
Suggested Solution:
chmod o+x /usr/share/doc/perl-Mail-SPF/bin/spfquery
Version-Release number of selected component (if applicable):
perl-Mail-SPF-2.9.0-7.fc23.noarch
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 10 months