packages/perl-Digest
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Package init

Browse Source
This commit is contained in:
overweight 2019-09-30 11:12:01 -04:00
commit c637a3b2f6
3 changed files with 94 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
Digest-0.17-CVE-2016-1238-prevent-loading-optional-modules-from-.patch Normal file
View File

@ -0,0 +1,41 @@
From 8cfc4916736280dd76655fdef5b78331bfac414d Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 27 Jul 2016 14:04:59 +1000
Subject: [PATCH] CVE-2016-1238: prevent loading optional modules from default
.
Digest attempts to load Digest::SHA, only failing if Digest::SHA2
is also unavailable.
If a system has Digest installed, but not Digest::SHA, and a user
attempts to run a program using Digest with SHA-256 from a world
writable directory such as /tmp and since perl adds "." to the end
of @INC an attacker can run code as the original user by creating
/tmp/Digest/SHA.pm.
The change temporarily removes the default "." entry from the end of
@INC preventing that attack.
---
Digest.pm | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/Digest.pm b/Digest.pm
index 2ae6eec..c75649f 100644
--- a/Digest.pm
+++ b/Digest.pm
@@ -42,7 +42,11 @@ sub new
unless (exists ${"$class\::"}{"VERSION"}) {
my $pm_file = $class . ".pm";
$pm_file =~ s{::}{/}g;
- eval { require $pm_file };
+ eval {
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
+ require $pm_file;
+ };
if ($@) {
$err ||= $@;
next;
--
2.1.4

BIN
Digest-1.17.tar.gz Normal file
View File

Binary file not shown.

53
perl-Digest.spec Normal file
View File

@ -0,0 +1,53 @@
Name: perl-Digest
Version: 1.17
Release: 419
Summary: Modules that calculate message digests
License: GPL+ or Artistic
URL: https://metacpan.org/release/Digest
Source0: https://cpan.metacpan.org/authors/id/G/GA/GAAS/Digest-%{version}.tar.gz
Patch0001: Digest-0.17-CVE-2016-1238-prevent-loading-optional-modules-from-.patch
BuildArch: noarch
BuildRequires: coreutils findutils make perl-interpreter perl-generators perl(Carp) perl(Exporter) perl(ExtUtils::MakeMaker) perl(MIME::Base64)
BuildRequires: perl(lib) perl(Test::More)
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) perl(MIME::Base64)
%description
The Digest:: modules calculate digests, also called "fingerprints" or
"hashes", of some data, called a message. The digest is (usually)
some small/fixed size string. The actual size of the digest depend of
the algorithm used. The message is simply a sequence of arbitrary
bytes or bits.
%package_help
%prep
%autosetup -n Digest-%{version} -p1
chmod -x digest-bench
%build
%{__perl} Makefile.PL NO_PACKLIST=1 INSTALLDIRS=vendor
%{make_build}
%install
make pure_install PERL_INSTALL_ROOT=%{buildroot}
%{_fixperms} %{buildroot}/*
%check
make test
%files
%doc digest-bench README Changes
%{perl_vendorlib}/*
%files help
%{_mandir}/*/*
%changelog
* Sun Sep 29 2019 yefei <yefei25@huawei.com> - 1.17-419
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:delete irrelevant information
* Sat Sep 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.17-418
- Package init