commit c637a3b2f6cc066027b9ca0047f0117d4c4363ac Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 11:12:01 2019 -0400 Package init diff --git a/Digest-0.17-CVE-2016-1238-prevent-loading-optional-modules-from-.patch b/Digest-0.17-CVE-2016-1238-prevent-loading-optional-modules-from-.patch new file mode 100644 index 0000000..5552a4b --- /dev/null +++ b/Digest-0.17-CVE-2016-1238-prevent-loading-optional-modules-from-.patch @@ -0,0 +1,41 @@ +From 8cfc4916736280dd76655fdef5b78331bfac414d Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Wed, 27 Jul 2016 14:04:59 +1000 +Subject: [PATCH] CVE-2016-1238: prevent loading optional modules from default + . + +Digest attempts to load Digest::SHA, only failing if Digest::SHA2 +is also unavailable. + +If a system has Digest installed, but not Digest::SHA, and a user +attempts to run a program using Digest with SHA-256 from a world +writable directory such as /tmp and since perl adds "." to the end +of @INC an attacker can run code as the original user by creating +/tmp/Digest/SHA.pm. + +The change temporarily removes the default "." entry from the end of +@INC preventing that attack. +--- + Digest.pm | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/Digest.pm b/Digest.pm +index 2ae6eec..c75649f 100644 +--- a/Digest.pm ++++ b/Digest.pm +@@ -42,7 +42,11 @@ sub new + unless (exists ${"$class\::"}{"VERSION"}) { + my $pm_file = $class . ".pm"; + $pm_file =~ s{::}{/}g; +- eval { require $pm_file }; ++ eval { ++ local @INC = @INC; ++ pop @INC if $INC[-1] eq '.'; ++ require $pm_file; ++ }; + if ($@) { + $err ||= $@; + next; +-- +2.1.4 + diff --git a/Digest-1.17.tar.gz b/Digest-1.17.tar.gz new file mode 100644 index 0000000..301b087 Binary files /dev/null and b/Digest-1.17.tar.gz differ diff --git a/perl-Digest.spec b/perl-Digest.spec new file mode 100644 index 0000000..c7be3d3 --- /dev/null +++ b/perl-Digest.spec @@ -0,0 +1,53 @@ +Name: perl-Digest +Version: 1.17 +Release: 419 +Summary: Modules that calculate message digests +License: GPL+ or Artistic +URL: https://metacpan.org/release/Digest +Source0: https://cpan.metacpan.org/authors/id/G/GA/GAAS/Digest-%{version}.tar.gz +Patch0001: Digest-0.17-CVE-2016-1238-prevent-loading-optional-modules-from-.patch +BuildArch: noarch +BuildRequires: coreutils findutils make perl-interpreter perl-generators perl(Carp) perl(Exporter) perl(ExtUtils::MakeMaker) perl(MIME::Base64) +BuildRequires: perl(lib) perl(Test::More) +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) perl(MIME::Base64) + +%description +The Digest:: modules calculate digests, also called "fingerprints" or +"hashes", of some data, called a message. The digest is (usually) +some small/fixed size string. The actual size of the digest depend of +the algorithm used. The message is simply a sequence of arbitrary +bytes or bits. + +%package_help + +%prep +%autosetup -n Digest-%{version} -p1 +chmod -x digest-bench + +%build +%{__perl} Makefile.PL NO_PACKLIST=1 INSTALLDIRS=vendor +%{make_build} + +%install +make pure_install PERL_INSTALL_ROOT=%{buildroot} +%{_fixperms} %{buildroot}/* + +%check +make test + +%files +%doc digest-bench README Changes +%{perl_vendorlib}/* + +%files help +%{_mandir}/*/* + +%changelog +* Sun Sep 29 2019 yefei - 1.17-419 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:delete irrelevant information + +* Sat Sep 14 2019 openEuler Buildteam - 1.17-418 +- Package init