Hello community, here is the log from the commit of package perl for openSUSE:11.2 checked in at Fri May 6 15:21:38 CEST 2011.
-------- --- old-versions/11.2/UPDATES/all/perl/perl.changes 2011-01-12 13:00:42.000000000 +0100 +++ 11.2/perl/perl.changes 2011-05-03 18:13:33.000000000 +0200 @@ -1,0 +2,9 @@ +Tue May 3 14:30:03 CEST 2011 - [email protected] + +- fix regexp crash in reg_numbered_buff_fetch [bnc#676086] + [CVE-2010-4777] +- fix lc() uc() tainting [bnc#684799] [CVE-2011-1487] +- remove [email protected] mail address, it no longer exists + [bnc#657625] + +------------------------------------------------------------------- calling whatdependson for 11.2-i586 New: ---- perl-lcuctaint.diff perl-saverecontext.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl.spec ++++++ --- /var/tmp/diff_new_pack.92qCjY/_old 2011-05-06 15:19:59.000000000 +0200 +++ /var/tmp/diff_new_pack.92qCjY/_new 2011-05-06 15:19:59.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package perl (Version 5.10.0) +# spec file for package perl # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -21,7 +21,7 @@ Name: perl Summary: The Perl interpreter Version: 5.10.0 -Release: 72.<RELEASE9> +Release: 72.<RELEASE11> License: Artistic License .. ; GPLv2+ Group: Development/Languages/Perl AutoReqProv: on @@ -53,6 +53,8 @@ Patch20: perl-tellfix.diff Patch21: perl-regexp-memleak.diff Patch22: perl-cgi-injection.diff +Patch23: perl-lcuctaint.diff +Patch24: perl-saverecontext.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: perl-base = %version #PreReq: %fillup_prereq @@ -170,6 +172,8 @@ %patch20 %patch21 %patch22 +%patch23 +%patch24 %build export SUSE_ASNEEDED=0 ++++++ perl-5.10.0.dif ++++++ --- /var/tmp/diff_new_pack.92qCjY/_old 2011-05-06 15:20:00.000000000 +0200 +++ /var/tmp/diff_new_pack.92qCjY/_new 2011-05-06 15:20:00.000000000 +0200 @@ -396,7 +396,7 @@ +sparc64-linux) glibpth="/lib64 /usr/lib64";; +esac + -+cf_email='[email protected]' ++cf_email='none' +#libs='-lgdbm -ldb -ldl -lm -lc' +#libs='-ldl -lm -lc' + ++++++ perl-lcuctaint.diff ++++++ --- ./pp.c.orig 2007-12-18 10:47:08.000000000 +0000 +++ ./pp.c 2011-04-26 14:43:43.000000000 +0000 @@ -3610,6 +3610,8 @@ PP(pp_ucfirst) SvCUR_set(dest, need - 1); } } + if (dest != source && SvTAINTED(source)) + SvTAINT(dest); SvSETMAGIC(dest); RETURN; } @@ -3713,6 +3715,8 @@ PP(pp_uc) SvCUR_set(dest, d - (U8*)SvPVX_const(dest)); } } + if (dest != source && SvTAINTED(source)) + SvTAINT(dest); SvSETMAGIC(dest); RETURN; } @@ -3829,6 +3833,8 @@ PP(pp_lc) SvCUR_set(dest, d - (U8*)SvPVX_const(dest)); } } + if (dest != source && SvTAINTED(source)) + SvTAINT(dest); SvSETMAGIC(dest); RETURN; } ++++++ perl-saverecontext.diff ++++++ --- ./regcomp.c.orig 2011-05-03 12:27:47.000000000 +0000 +++ ./regcomp.c 2011-05-03 12:43:05.000000000 +0000 @@ -9712,8 +9712,26 @@ Perl_save_re_context(pTHX) if (gvp) { GV * const gv = *gvp; - if (SvTYPE(gv) == SVt_PVGV && GvSV(gv)) - save_scalar(gv); + if (SvTYPE(gv) == SVt_PVGV && GvSV(gv)) { + /* this is a copy of save_scalar() without the GETMAGIC call, RT#76538 */ + SV ** const sptr = &GvSVn(gv); + SV * osv = *sptr; + SV * nsv = newSV(0); + SSCHECK(3); + SSPUSHPTR(SvREFCNT_inc_simple(gv)); + SSPUSHPTR(SvREFCNT_inc(*sptr)); + SSPUSHINT(SAVEt_SV); + if (SvTYPE(osv) >= SVt_PVMG && SvMAGIC(osv) && SvTYPE(osv) != SVt_PVGV) { + if (SvGMAGICAL(osv)) { + const bool oldtainted = PL_tainted; + SvFLAGS(osv) |= (SvFLAGS(osv) & + (SVp_IOK|SVp_NOK|SVp_POK)) >> PRIVSHIFT; + PL_tainted = oldtainted; + } + mg_localize(osv, nsv); + } + *sptr = nsv; + } } } } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
