From 282fdd80c2517eca341347fc32518ece908b3f90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar(a)redhat.com>
Date: Fri, 2 Sep 2016 09:24:00 +0200
Subject: 0.064 bump
---
.gitignore | 1 +
...-1238-avoid-loading-optional-modules-from.patch | 39 ----------------------
perl-HTTP-Tiny.spec | 12 +++----
sources | 2 +-
4 files changed, 8 insertions(+), 46 deletions(-)
delete mode 100644
HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch
diff --git a/.gitignore b/.gitignore
index 07c7afa..83c5551 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,3 +22,4 @@
/HTTP-Tiny-0.054.tar.gz
/HTTP-Tiny-0.056.tar.gz
/HTTP-Tiny-0.058.tar.gz
+/HTTP-Tiny-0.064.tar.gz
diff --git a/HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch
b/HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch
deleted file mode 100644
index db4eb9c..0000000
--- a/HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From b239c95ea7a256cfee9b8848f1bd4d1df6e66444 Mon Sep 17 00:00:00 2001
-From: Tony Cook <tony(a)develop-help.com>
-Date: Wed, 27 Jul 2016 16:06:32 +1000
-Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
-
-The final . perl adds to @INC can be used by an attacker to fake
-an optional module in a world writable directory for a process
-using HTTP::Tiny when run from that directory.
-
-Remove the default . from the end of @INC when loading optional
-modules.
-
-Closes #90
----
- lib/HTTP/Tiny.pm | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/lib/HTTP/Tiny.pm b/lib/HTTP/Tiny.pm
-index f8059b7..ea6db53 100644
---- a/lib/HTTP/Tiny.pm
-+++ b/lib/HTTP/Tiny.pm
-@@ -504,6 +504,8 @@ sub can_ssl {
- my($ok, $reason) = (1, '');
-
- # Need IO::Socket::SSL 1.42 for SSL_create_ctx_callback
-+ local @INC = @INC;
-+ pop @INC if $INC[-1] eq '.';
- unless (eval {require IO::Socket::SSL; IO::Socket::SSL->VERSION(1.42)}) {
- $ok = 0;
- $reason .= qq/IO::Socket::SSL 1.42 must be installed for https support\n/;
-@@ -1568,6 +1570,8 @@ sub _find_CA_file {
- return $ca_file;
- }
-
-+ local @INC = @INC;
-+ pop @INC if $INC[-1] eq '.';
- return Mozilla::CA::SSL_ca_file()
- if eval { require Mozilla::CA; 1 };
-
diff --git a/perl-HTTP-Tiny.spec b/perl-HTTP-Tiny.spec
index 443b086..b3b366f 100644
--- a/perl-HTTP-Tiny.spec
+++ b/perl-HTTP-Tiny.spec
@@ -1,6 +1,6 @@
Name: perl-HTTP-Tiny
-Version: 0.058
-Release: 3%{?dist}
+Version: 0.064
+Release: 1%{?dist}
Summary: Small, simple, correct HTTP/1.1 client
License: GPL+ or Artistic
Group: Development/Libraries
@@ -9,9 +9,6 @@ Source0:
http://www.cpan.org/authors/id/D/DA/DAGOLDEN/HTTP-Tiny-%{version
# Check for write failure, bug #1031096, refused by upstream,
# <
https://github.com/chansen/p5-http-tiny/issues/32>
Patch0: HTTP-Tiny-0.058-Croak-on-failed-write-into-a-file.patch
-# Avoid loading optional modules from default . (CVE-2016-1238)
-# in upstream after 0.059
-Patch1: HTTP-Tiny-0.058-CVE-2016-1238-avoid-loading-optional-modules-from.patch
BuildArch: noarch
BuildRequires: findutils
BuildRequires: make
@@ -44,6 +41,7 @@ BuildRequires: perl(IO::File)
BuildRequires: perl(IO::Socket::INET)
# IO::Socket::SSL 1.56 not needed
BuildRequires: perl(IPC::Cmd)
+BuildRequires: perl(lib)
# Mozilla::CA not needed
# Net::SSLeay 1.49 not needed
BuildRequires: perl(open)
@@ -68,7 +66,6 @@ resumes after EINTR.
%prep
%setup -q -n HTTP-Tiny-%{version}
%patch0 -p1
-%patch1 -p1
%build
perl Makefile.PL INSTALLDIRS=vendor
@@ -89,6 +86,9 @@ make test
%{_mandir}/man3/*
%changelog
+* Fri Sep 02 2016 Petr Pisar <ppisar(a)redhat.com> - 0.064-1
+- 0.064 bump
+
* Tue Aug 02 2016 Jitka Plesnikova <jplesnik(a)redhat.com> - 0.058-3
- Avoid loading optional modules from default . (CVE-2016-1238)
diff --git a/sources b/sources
index 2854176..be1cc11 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-2cef09fbfc897c14547f3774d14824eb HTTP-Tiny-0.058.tar.gz
+4673143f2e400c8c7cc972b37a249e14 HTTP-Tiny-0.064.tar.gz
--
cgit v0.12
http://pkgs.fedoraproject.org/cgit/perl-HTTP-Tiny.git/commit/?h=f25&i...