From b4ba8eabfbba43d2bde622920fb179d7226145fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> Date: Mon, 5 Sep 2016 13:14:12 +0200 Subject: 0.35 bump
--- .gitignore | 1 + ...-1238-avoid-loading-optional-modules-from.patch | 34 ---------------------- perl-Sys-Syslog.spec | 11 +++---- sources | 2 +- 4 files changed, 8 insertions(+), 40 deletions(-) delete mode 100644 Sys-Syslog-0.34-CVE-2016-1238-avoid-loading-optional-modules-from.patch diff --git a/.gitignore b/.gitignore index ae05514..bb0bf2a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /Sys-Syslog-0.32.tar.gz /Sys-Syslog-0.33.tar.gz /Sys-Syslog-0.34.tar.gz +/Sys-Syslog-0.35.tar.gz diff --git a/Sys-Syslog-0.34-CVE-2016-1238-avoid-loading-optional-modules-from.patch b/Sys-Syslog-0.34-CVE-2016-1238-avoid-loading-optional-modules-from.patch deleted file mode 100644 index d352d2a..0000000 --- a/Sys-Syslog-0.34-CVE-2016-1238-avoid-loading-optional-modules-from.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 15488839b5e8141d120db913c22fdbada9597b93 Mon Sep 17 00:00:00 2001 -From: Tony Cook <[email protected]> -Date: Thu, 28 Jul 2016 13:34:55 +1000 -Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default . - -Sys::Syslog treats two modules as optional, attemptting to load them -and not requiring them (Win32 only.) - -If a user runs a program using Sys::Syslog in a world writable -directory (like %windir%\Temp) a local attacker can create -Win32\EventLog.pm in that directory to run code as the running user. - -This patch temporarily removes the default . from @INC to prevent -that attack. ---- - Syslog.pm | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/Syslog.pm b/Syslog.pm -index 7978f04..06169a8 100644 ---- a/Syslog.pm -+++ b/Syslog.pm -@@ -918,6 +918,8 @@ sub silent_eval (&) { - sub can_load { - my ($module, $verbose) = @_; - local($SIG{__DIE__}, $SIG{__WARN__}, $@); -+ local @INC = @INC; -+ pop @INC if $INC[-1] eq '.'; - my $loaded = eval "use $module; 1"; - warn $@ if not $loaded and $verbose; - return $loaded --- -2.1.4 - diff --git a/perl-Sys-Syslog.spec b/perl-Sys-Syslog.spec index e0ccaa7..d8029bc 100644 --- a/perl-Sys-Syslog.spec +++ b/perl-Sys-Syslog.spec @@ -1,6 +1,6 @@ Name: perl-Sys-Syslog -Version: 0.34 -Release: 4%{?dist} +Version: 0.35 +Release: 1%{?dist} Summary: Perl interface to the UNIX syslog(3) calls # README: GPL+ or Artistic # ppport.h: GPL+ or Artistic @@ -11,8 +11,6 @@ License: GPL+ or Artistic Group: Development/Libraries URL: http://search.cpan.org/dist/Sys-Syslog/ Source0: http://www.cpan.org/authors/id/S/SA/SAPER/Sys-Syslog-%{version}.tar.gz -# Avoid loading optional modules from default . (CVE-2016-1238) -Patch0: Sys-Syslog-0.34-CVE-2016-1238-avoid-loading-optional-modules-from.patch BuildRequires: coreutils BuildRequires: findutils BuildRequires: gcc @@ -42,6 +40,7 @@ BuildRequires: perl(warnings::register) BuildRequires: perl(XSLoader) # DynaLoader not used # Tests: +BuildRequires: perl(FileHandle) BuildRequires: perl(Data::Dumper) BuildRequires: perl(Test::More) # Optional tests: @@ -67,7 +66,6 @@ a string priority and a list of printf() arguments just like at syslog(3). %prep %setup -q -n Sys-Syslog-%{version} -%patch0 -p1 chmod -x eg/* # Inhibit bundled syslog.h @@ -100,6 +98,9 @@ make test %{_mandir}/man3/* %changelog +* Mon Sep 05 2016 Petr Pisar <[email protected]> - 0.35-1 +- 0.35 bump + * Wed Aug 03 2016 Jitka Plesnikova <[email protected]> - 0.34-4 - Avoid loading optional modules from default . (CVE-2016-1238) diff --git a/sources b/sources index ee9b323..b66f7ea 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -4aa75cf62ff697262105042f7b5f6c70 Sys-Syslog-0.34.tar.gz +59dfb279f78a5ff587ba2ee8989b13e8 Sys-Syslog-0.35.tar.gz -- cgit v0.12 http://pkgs.fedoraproject.org/cgit/perl-Sys-Syslog.git/commit/?h=master&id=b4ba8eabfbba43d2bde622920fb179d7226145fd -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list [email protected] https://lists.fedoraproject.org/admin/lists/[email protected]
