[perl-Log-Message] Open configuration file for reading explicitly
Petr Pisar
ppisar at fedoraproject.org
Thu Apr 25 09:11:15 UTC 2013
commit 3834dd7566f4f999906a98d81cfd1d1de7145fd6
Author: Petr Písař <ppisar at redhat.com>
Date: Thu Apr 25 11:11:00 2013 +0200
Open configuration file for reading explicitly
...-0.06-Open-configuration-file-for-reading.patch | 30 ++++++++++++++++++++
perl-Log-Message.spec | 8 ++++-
2 files changed, 37 insertions(+), 1 deletions(-)
---
diff --git a/Log-Message-0.06-Open-configuration-file-for-reading.patch b/Log-Message-0.06-Open-configuration-file-for-reading.patch
new file mode 100644
index 0000000..58481c1
--- /dev/null
+++ b/Log-Message-0.06-Open-configuration-file-for-reading.patch
@@ -0,0 +1,30 @@
+From 66f18d5a6a6a17f574505b280ca8acc6a21f6451 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Thu, 25 Apr 2013 10:51:00 +0200
+Subject: [PATCH] Open configuration file for reading
+
+This patch opens configuration file for reading only, allows to
+use file which names starts with special character, like '<', and
+prevents from opening malicious file like '>/etc/passwd'.
+
+Thanks to Florian Weimer for spotting it.
+---
+ lib/Log/Message/Config.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/Log/Message/Config.pm b/lib/Log/Message/Config.pm
+index e326e40..5bd115e 100644
+--- a/lib/Log/Message/Config.pm
++++ b/lib/Log/Message/Config.pm
+@@ -70,7 +70,7 @@ sub _read_config_file {
+
+ my $conf = {};
+ my $FH = new FileHandle;
+- $FH->open("$file") or (
++ $FH->open("$file", 'r') or (
+ warn(loc(q[Could not open config file '%1': %2],$file,$!)),
+ return {}
+ );
+--
+1.8.1.4
+
diff --git a/perl-Log-Message.spec b/perl-Log-Message.spec
index a073eda..ff4ee94 100644
--- a/perl-Log-Message.spec
+++ b/perl-Log-Message.spec
@@ -2,12 +2,14 @@ Name: perl-Log-Message
# Epoch to compete with perl.spec
Epoch: 1
Version: 0.06
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Generic message storing mechanism
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/Log-Message/
Source0: http://www.cpan.org/authors/id/B/BI/BINGOS/Log-Message-%{version}.tar.gz
+# Bug #955210, CPAN RT #84844
+Patch0: Log-Message-0.06-Open-configuration-file-for-reading.patch
BuildArch: noarch
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(strict)
@@ -41,6 +43,7 @@ your own handlers for dealing with messages.
%prep
%setup -q -n Log-Message-%{version}
+%patch0 -p1
%build
perl Makefile.PL INSTALLDIRS=vendor
@@ -60,6 +63,9 @@ make test
%{_mandir}/man3/*
%changelog
+* Thu Apr 25 2013 Petr Pisar <ppisar at redhat.com> - 1:0.06-2
+- Open configuration file for reading explicitly (bug #955210)
+
* Thu Jan 24 2013 Petr Pisar <ppisar at redhat.com> 1:0.06-1
- Specfile autogenerated by cpanspec 1.78.
- Require deprecated module if needed
More information about the scm-commits
mailing list