[perl-YAML-LibYAML] Clean up and add patch for CVE-2012-1152 (CPAN RT#46507)
Paul Howarth
pghmcfc at fedoraproject.org
Thu Mar 29 17:57:38 UTC 2012
commit 2d5a8241a0aed1cdb555ce36c232178235c93104
Author: Paul Howarth <paul at city-fan.org>
Date: Thu Mar 29 18:56:28 2012 +0100
Clean up and add patch for CVE-2012-1152 (CPAN RT#46507)
- Fix various format string vulnerabilities (CVE-2012-1152, CPAN RT#46507)
- De-duplicate buildreqs, with Module>Install>Tests priority
- Install to vendor directories
- Don't need to remove empty directories from buildroot
- Don't use macros for commands
- Make %files list more explicit
- Tidy %description
YAML-LibYAML-0.35-format-error.patch | 39 ++++++++++++++++++++
perl-YAML-LibYAML.spec | 67 ++++++++++++++++++++++------------
2 files changed, 82 insertions(+), 24 deletions(-)
---
diff --git a/YAML-LibYAML-0.35-format-error.patch b/YAML-LibYAML-0.35-format-error.patch
new file mode 100644
index 0000000..2b25380
--- /dev/null
+++ b/YAML-LibYAML-0.35-format-error.patch
@@ -0,0 +1,39 @@
+diff -urbaN YAML-LibYAML-0.35-orig//LibYAML/perl_libyaml.c YAML-LibYAML-0.35/LibYAML/perl_libyaml.c
+--- YAML-LibYAML-0.35-orig//LibYAML/perl_libyaml.c 2011-04-03 18:28:08.000000000 +0200
++++ YAML-LibYAML-0.35/LibYAML/perl_libyaml.c 2011-04-08 09:25:49.633009787 +0200
+@@ -188,7 +188,7 @@
+ return;
+
+ load_error:
+- croak(loader_error_msg(&loader, NULL));
++ croak("%s", loader_error_msg(&loader, NULL));
+ }
+
+ /*
+@@ -271,7 +271,7 @@
+ return return_sv;
+
+ load_error:
+- croak(loader_error_msg(loader, NULL));
++ croak("%s", loader_error_msg(loader, NULL));
+ }
+
+ /*
+@@ -314,7 +314,7 @@
+ else if (strlen(tag) <= strlen(prefix) ||
+ ! strnEQ(tag, prefix, strlen(prefix))
+ ) croak(
+- loader_error_msg(loader, form("bad tag found for hash: '%s'", tag))
++ "%s", loader_error_msg(loader, form("bad tag found for hash: '%s'", tag))
+ );
+ class = tag + strlen(prefix);
+ sv_bless(hash_ref, gv_stashpv(class, TRUE));
+@@ -347,7 +347,7 @@
+ else if (strlen(tag) <= strlen(prefix) ||
+ ! strnEQ(tag, prefix, strlen(prefix))
+ ) croak(
+- loader_error_msg(loader, form("bad tag found for array: '%s'", tag))
++ "%s", loader_error_msg(loader, form("bad tag found for array: '%s'", tag))
+ );
+ class = tag + strlen(prefix);
+ sv_bless(array_ref, gv_stashpv(class, TRUE));
diff --git a/perl-YAML-LibYAML.spec b/perl-YAML-LibYAML.spec
index 3f95210..12660d7 100644
--- a/perl-YAML-LibYAML.spec
+++ b/perl-YAML-LibYAML.spec
@@ -1,67 +1,86 @@
Name: perl-YAML-LibYAML
Version: 0.38
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Perl YAML Serialization using XS and libyaml
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/YAML-LibYAML/
Source0: http://search.cpan.org/CPAN/authors/id/I/IN/INGY/YAML-LibYAML-%{version}.tar.gz
-BuildRequires: perl(B::Deparse)
-BuildRequires: perl(base)
-BuildRequires: perl(constant)
+Patch0: YAML-LibYAML-0.35-format-error.patch
+
+# Install
BuildRequires: perl(Cwd)
-BuildRequires: perl(Exporter)
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(File::Find)
BuildRequires: perl(File::Path)
BuildRequires: perl(File::Spec)
+
+# Module
+BuildRequires: perl >= 3:5.8.3
+BuildRequires: perl(B::Deparse)
+BuildRequires: perl(base)
+BuildRequires: perl(constant)
+BuildRequires: perl(Exporter)
+BuildRequires: perl(XSLoader)
+
+# Tests
+BuildRequires: perl(Devel::Peek)
+BuildRequires: perl(Scalar::Util)
BuildRequires: perl(Test::Builder)
BuildRequires: perl(Test::Builder::Module)
BuildRequires: perl(Test::More)
-# Tests only
-BuildRequires: perl(Devel::Peek)
-BuildRequires: perl(File::Path)
-BuildRequires: perl(Scalar::Util)
-BuildRequires: perl(Test::Base)
-BuildRequires: perl(Test::Base::Filter)
BuildRequires: perl(Tie::Array)
BuildRequires: perl(Tie::Hash)
-Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+# Runtime
+Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
+
+# Avoid provides for perl shared objects
%{?perl_default_filter}
%description
-Kirill Siminov's "libyaml" is arguably the best YAML
-implementation. The C library is written precisely to the YAML 1.1
-specification. It was originally bound to Python and was later
-bound to Ruby.
+Kirill Siminov's "libyaml" is arguably the best YAML implementation. The C
+library is written precisely to the YAML 1.1 specification. It was originally
+bound to Python and was later bound to Ruby.
%prep
%setup -q -n YAML-LibYAML-%{version}
+# Fix format string vulnerabilities (CVE-2012-1152, CPAN RT#46507)
+%patch0 -p1
+
%build
-%{__perl} Makefile.PL INSTALLDIRS=perl OPTIMIZE="%{optflags}"
+perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"
make %{?_smp_mflags}
%install
make pure_install DESTDIR=%{buildroot}
find %{buildroot} -type f -name .packlist -exec rm -f {} \;
find %{buildroot} -type f -name '*.bs' -size 0 -exec rm -f {} \;
-find %{buildroot} -depth -type d -exec rmdir {} 2>/dev/null \;
-%{_fixperms} %{buildroot}/*
+%{_fixperms} %{buildroot}
%check
make test
%files
%doc Changes README
-%{perl_archlib}/auto/*
-%{perl_archlib}/YAML*
-%{_mandir}/man3/*
+%{perl_vendorarch}/auto/YAML/
+%{perl_vendorarch}/YAML/
+%{_mandir}/man3/YAML::XS.3pm*
+%{_mandir}/man3/YAML::XS::LibYAML.3pm*
%changelog
-* Fri Jan 13 2012 Marcela Mašláňová <mmaslano at redhat.com> - 0.38-2
-- bump to 0.38
+* Thu Mar 29 2012 Paul Howarth <paul at city-fan.org> - 0.38-2
+- Fix various format string vulnerabilities (CVE-2012-1152, CPAN RT#46507)
+- De-duplicate buildreqs, with Module>Install>Tests priority
+- Install to vendor directories
+- Don't need to remove empty directories from buildroot
+- Don't use macros for commands
+- Make %%files list more explicit
+- Tidy %%description
+
+* Fri Jan 13 2012 Marcela Mašláňová <mmaslano at redhat.com> - 0.38-1
+- Bump to 0.38
* Fri Sep 30 2011 Petr Sabata <contyk at redhat.com> - 0.37-1
- 0.37 bump
More information about the perl-devel
mailing list