[perltidy/el5] Fix insecure temporary file creation (CVE-2014-2277)
Paul Howarth
pghmcfc at fedoraproject.org
Fri Nov 21 16:17:51 UTC 2014
commit 015684363a044928b0931362aa2f00d44cd45a08
Author: Paul Howarth <paul at city-fan.org>
Date: Fri Nov 21 16:17:02 2014 +0000
Fix insecure temporary file creation (CVE-2014-2277)
- Fix insecure temporary file creation (CVE-2014-2277)
(patch based on the debian patch, plus corresponding manpage update from
Fedora)
- Re-code CHANGES file as UTF-8
Perl-Tidy-20070801-CVE-2014-2277.patch | 82 ++++++++++++++++++++++++++++++++
Perl-Tidy-20070801-utf8.patch | 30 ++++++++++++
perltidy.spec | 20 +++++++-
3 files changed, 129 insertions(+), 3 deletions(-)
---
diff --git a/Perl-Tidy-20070801-CVE-2014-2277.patch b/Perl-Tidy-20070801-CVE-2014-2277.patch
new file mode 100644
index 0000000..512b1cb
--- /dev/null
+++ b/Perl-Tidy-20070801-CVE-2014-2277.patch
@@ -0,0 +1,82 @@
+--- bin/perltidy
++++ bin/perltidy
+@@ -2632,9 +2632,8 @@ in any way. And, of course, it does not
+ =item Temporary files
+
+ Under the -html option with the default --pod2html flag, a temporary file is
+-required to pass text to Pod::Html. Unix systems will try to use the POSIX
+-tmpnam() function. Otherwise the file F<perltidy.TMP> will be temporarily
+-created in the current working directory.
++required to pass text to Pod::Html. The temporary file is created using
++File::Temp::tempfile().
+
+ =item Special files when standard input is used
+
+--- lib/Perl/Tidy.pm
++++ lib/Perl/Tidy.pm
+@@ -63,6 +63,7 @@ use vars qw{
+
+ use IO::File;
+ use File::Basename;
++use File::Temp qw(tempfile);
+
+ BEGIN {
+ ( $VERSION = q($Id: Tidy.pm,v 1.68 2007/08/01 16:22:38 perltidy Exp $) ) =~ s/^.*\s+(\d+)\/(\d+)\/(\d+).*$/$1$2$3/; # all one line for MakeMaker
+@@ -222,39 +223,6 @@ sub catfile {
+ return undef;
+ }
+
+-sub make_temporary_filename {
+-
+- # Make a temporary filename.
+- #
+- # The POSIX tmpnam() function tends to be unreliable for non-unix
+- # systems (at least for the win32 systems that I've tested), so use
+- # a pre-defined name. A slight disadvantage of this is that two
+- # perltidy runs in the same working directory may conflict.
+- # However, the chance of that is small and managable by the user.
+- # An alternative would be to check for the file's existance and use,
+- # say .TMP0, .TMP1, etc, but that scheme has its own problems. So,
+- # keep it simple.
+- my $name = "perltidy.TMP";
+- if ( $^O =~ /win32|dos/i || $^O eq 'VMS' || $^O eq 'MacOs' ) {
+- return $name;
+- }
+- eval "use POSIX qw(tmpnam)";
+- if ($@) { return $name }
+- use IO::File;
+-
+- # just make a couple of tries before giving up and using the default
+- for ( 0 .. 1 ) {
+- my $tmpname = tmpnam();
+- my $fh = IO::File->new( $tmpname, O_RDWR | O_CREAT | O_EXCL );
+- if ($fh) {
+- $fh->close();
+- return ($tmpname);
+- last;
+- }
+- }
+- return ($name);
+-}
+-
+ # Here is a map of the flow of data from the input source to the output
+ # line sink:
+ #
+@@ -4615,16 +4583,7 @@ sub pod_to_html {
+ }
+
+ # Pod::Html requires a real temporary filename
+- # If we are making a frame, we have a name available
+- # Otherwise, we have to fine one
+- my $tmpfile;
+- if ( $rOpts->{'frames'} ) {
+- $tmpfile = $self->{_toc_filename};
+- }
+- else {
+- $tmpfile = Perl::Tidy::make_temporary_filename();
+- }
+- my $fh_tmp = IO::File->new( $tmpfile, 'w' );
++ my ($fh_tmp,$tmpfile) = tempfile();
+ unless ($fh_tmp) {
+ warn "unable to open temporary file $tmpfile; cannot use pod2html\n";
+ return $success_flag;
diff --git a/Perl-Tidy-20070801-utf8.patch b/Perl-Tidy-20070801-utf8.patch
new file mode 100644
index 0000000..362dfc8
--- /dev/null
+++ b/Perl-Tidy-20070801-utf8.patch
@@ -0,0 +1,30 @@
+--- CHANGES
++++ CHANGES
+@@ -470,8 +470,8 @@ Perltidy Change Log
+
+ -improved breakpoint choices involving '->'
+
+- -Corrected tokenization of things like ${#} or ${©}. For example,
+- ${©} is valid, but ${© } is a syntax error.
++ -Corrected tokenization of things like ${#} or ${©}. For example,
++ ${©} is valid, but ${© } is a syntax error.
+
+ -Corrected minor tokenization errors with indirect object notation.
+ For example, 'new A::()' works now.
+@@ -644,14 +644,14 @@ Perltidy Change Log
+ closing side comments (-csc) could have incorrect text. This is
+ annoying but will be correct the next time perltidy is run with -csc.
+
+- -Implemented XHTML patch submitted by Ville Skyttä.
++ -Implemented XHTML patch submitted by Ville Skyttä.
+
+ -Fixed bug where whitespace was being removed between 'Bar' and '()'
+ in a use statement like:
+
+ use Foo::Bar ();
+
+- Thanks to Ville Skyttä for reporting this.
++ Thanks to Ville Skyttä for reporting this.
+
+ -Whenever possible, if a logical expression is broken with leading
+ '&&', '||', 'and', or 'or', then the leading line will be padded
diff --git a/perltidy.spec b/perltidy.spec
index a350d03..b83b22e 100644
--- a/perltidy.spec
+++ b/perltidy.spec
@@ -1,12 +1,14 @@
Name: perltidy
Version: 20070801
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Tool for indenting and reformatting Perl scripts
Group: Development/Tools
License: GPLv2+
URL: http://perltidy.sourceforge.net/
-Source: http://downloads.sourceforge.net/perltidy/Perl-Tidy-%{version}.tar.gz
+Source0: http://downloads.sourceforge.net/perltidy/Perl-Tidy-%{version}.tar.gz
+Patch0: Perl-Tidy-20070801-CVE-2014-2277.patch
+Patch1: Perl-Tidy-20070801-utf8.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
@@ -30,6 +32,13 @@ brackets because it is very good at localizing errors.
%setup -q -n Perl-Tidy-%{version}
rm -f docs/perltidy.1 examples/pt.bat
+# Fix insecure temporary file creation (CVE-2014-2277)
+# (patch based on the debian patch, plus corresponding manpage update from Fedora)
+%patch0
+
+# Re-code CHANGES file as UTF-8
+%patch1
+
%build
%{__perl} Makefile.PL INSTALLDIRS=vendor
@@ -62,6 +71,11 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Nov 21 2014 Paul Howarth <paul at city-fan.org> - 20070801-2
+- Fix insecure temporary file creation (CVE-2014-2277)
+ (patch based on the debian patch, plus corresponding manpage update from Fedora)
+- Re-code CHANGES file as UTF-8
+
* Wed Aug 1 2007 Ville Skyttä <ville.skytta at iki.fi> - 20070801-1
- 20070801.
@@ -87,7 +101,7 @@ rm -rf $RPM_BUILD_ROOT
* Thu Jun 15 2006 Ville Skyttä <ville.skytta at iki.fi> - 20060614-1
- 20060614, specfile cleanups, include examples in docs.
-* Fri Apr 7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
+* Wed Apr 6 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
- rebuilt
* Thu Dec 16 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:20031021-1
More information about the scm-commits
mailing list