[perl-Log-Message] Open configuration file for reading explicitly

[Petr Pisar]

commit 3834dd7566f4f999906a98d81cfd1d1de7145fd6
Author: Petr Písař <ppisar at redhat.com>
Date:   Thu Apr 25 11:11:00 2013 +0200

    Open configuration file for reading explicitly

 ...-0.06-Open-configuration-file-for-reading.patch |   30 ++++++++++++++++++++
 perl-Log-Message.spec                              |    8 ++++-
 2 files changed, 37 insertions(+), 1 deletions(-)
---
diff --git a/Log-Message-0.06-Open-configuration-file-for-reading.patch b/Log-Message-0.06-Open-configuration-file-for-reading.patch
new file mode 100644
index 0000000..58481c1
--- /dev/null
+++ b/Log-Message-0.06-Open-configuration-file-for-reading.patch
@@ -0,0 +1,30 @@
+From 66f18d5a6a6a17f574505b280ca8acc6a21f6451 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Thu, 25 Apr 2013 10:51:00 +0200
+Subject: [PATCH] Open configuration file for reading
+
+This patch opens configuration file for reading only, allows to
+use file which names starts with special character, like '<', and
+prevents from opening malicious file like '>/etc/passwd'.
+
+Thanks to Florian Weimer for spotting it.
+---
+ lib/Log/Message/Config.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/Log/Message/Config.pm b/lib/Log/Message/Config.pm
+index e326e40..5bd115e 100644
+--- a/lib/Log/Message/Config.pm
++++ b/lib/Log/Message/Config.pm
+@@ -70,7 +70,7 @@ sub _read_config_file {
+ 
+     my $conf = {};
+     my $FH = new FileHandle;
+-    $FH->open("$file") or (
++    $FH->open("$file", 'r') or (
+                         warn(loc(q[Could not open config file '%1': %2],$file,$!)),
+                         return {}
+                     );
+-- 
+1.8.1.4
+
diff --git a/perl-Log-Message.spec b/perl-Log-Message.spec
index a073eda..ff4ee94 100644
--- a/perl-Log-Message.spec
+++ b/perl-Log-Message.spec
@@ -2,12 +2,14 @@ Name:           perl-Log-Message
 # Epoch to compete with perl.spec
 Epoch:          1
 Version:        0.06
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Generic message storing mechanism
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/Log-Message/
 Source0:        http://www.cpan.org/authors/id/B/BI/BINGOS/Log-Message-%{version}.tar.gz
+# Bug #955210, CPAN RT #84844
+Patch0:         Log-Message-0.06-Open-configuration-file-for-reading.patch
 BuildArch:      noarch
 BuildRequires:  perl(ExtUtils::MakeMaker)
 BuildRequires:  perl(strict)
@@ -41,6 +43,7 @@ your own handlers for dealing with messages.
 
 %prep
 %setup -q -n Log-Message-%{version}
+%patch0 -p1
 
 %build
 perl Makefile.PL INSTALLDIRS=vendor
@@ -60,6 +63,9 @@ make test
 %{_mandir}/man3/*
 
 %changelog
+* Thu Apr 25 2013 Petr Pisar <ppisar at redhat.com> - 1:0.06-2
+- Open configuration file for reading explicitly (bug #955210)
+
 * Thu Jan 24 2013 Petr Pisar <ppisar at redhat.com> 1:0.06-1
 - Specfile autogenerated by cpanspec 1.78.
 - Require deprecated module if needed