From 1a2f3f14943b509268ac90bac5683cc9a5ff23a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <[email protected]> Date: Thu, 1 Jun 2017 13:54:14 +0200 Subject: 2.13 bump
--- .gitignore | 1 + ...-2.12-Prevent-directory-chmod-race-attack.patch | 165 --------------------- perl-File-Path.spec | 24 ++- sources | 2 +- 4 files changed, 13 insertions(+), 179 deletions(-) delete mode 100644 File-Path-2.12-Prevent-directory-chmod-race-attack.patch diff --git a/.gitignore b/.gitignore index fbfff58..f0afd0d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /File-Path-2.09.tar.gz /File-Path-2.11.tar.gz /File-Path-2.12.tar.gz +/File-Path-2.13.tar.gz diff --git a/File-Path-2.12-Prevent-directory-chmod-race-attack.patch b/File-Path-2.12-Prevent-directory-chmod-race-attack.patch deleted file mode 100644 index a280818..0000000 --- a/File-Path-2.12-Prevent-directory-chmod-race-attack.patch +++ /dev/null @@ -1,165 +0,0 @@ -From e9cc25a6109e9191bcbf59a967ed6c60b0156f72 Mon Sep 17 00:00:00 2001 -From: John Lightsey <[email protected]> -Date: Tue, 2 May 2017 12:03:52 -0500 -Subject: [PATCH] Prevent directory chmod race attack. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -CVE-2017-6512 is a race condition attack where the chmod() of directories -that cannot be entered is misused to change the permissions on other -files or directories on the system. This has been corrected by limiting -the directory-permission loosening logic to systems where fchmod() is -supported. - -Petr Písař: Ported to 2.12. - -Signed-off-by: Petr Písař <[email protected]> ---- - lib/File/Path.pm | 39 +++++++++++++++++++++++++-------------- - t/Path.t | 40 ++++++++++++++++++++++++++-------------- - 2 files changed, 51 insertions(+), 28 deletions(-) - -diff --git a/lib/File/Path.pm b/lib/File/Path.pm -index 36f12cc..871f43a 100644 ---- a/lib/File/Path.pm -+++ b/lib/File/Path.pm -@@ -354,21 +354,32 @@ sub _rmtree { - - # see if we can escalate privileges to get in - # (e.g. funny protection mask such as -w- instead of rwx) -- $perm &= oct '7777'; -- my $nperm = $perm | oct '700'; -- if ( -- !( -- $arg->{safe} -- or $nperm == $perm -- or chmod( $nperm, $root ) -- ) -- ) -- { -- _error( $arg, -- "cannot make child directory read-write-exec", $canon ); -- next ROOT_DIR; -+ # This uses fchmod to avoid traversing outside of the proper -+ # location (CVE-2017-6512) -+ my $root_fh; -+ if (open($root_fh, '<', $root)) { -+ my ($fh_dev, $fh_inode) = (stat $root_fh )[0,1]; -+ $perm &= oct '7777'; -+ my $nperm = $perm | oct '700'; -+ local $@; -+ if ( -+ !( -+ $arg->{safe} -+ or $nperm == $perm -+ or !-d _ -+ or $fh_dev ne $ldev -+ or $fh_inode ne $lino -+ or eval { chmod( $nperm, $root_fh ) } -+ ) -+ ) -+ { -+ _error( $arg, -+ "cannot make child directory read-write-exec", $canon ); -+ next ROOT_DIR; -+ } -+ close $root_fh; - } -- elsif ( !chdir($root) ) { -+ if ( !chdir($root) ) { - _error( $arg, "cannot chdir to child", $canon ); - next ROOT_DIR; - } -diff --git a/t/Path.t b/t/Path.t -index 5644f57..fffc49c 100755 ---- a/t/Path.t -+++ b/t/Path.t -@@ -3,7 +3,7 @@ - - use strict; - --use Test::More tests => 127; -+use Test::More tests => 126; - use Config; - use Fcntl ':mode'; - use lib 't/'; -@@ -17,6 +17,13 @@ BEGIN { - - my $Is_VMS = $^O eq 'VMS'; - -+my $fchmod_supported = 0; -+if (open my $fh, curdir()) { -+ my ($perm) = (stat($fh))[2]; -+ $perm &= 07777; -+ eval { $fchmod_supported = chmod( $perm, $fh); }; -+} -+ - # first check for stupid permissions second for full, so we clean up - # behind ourselves - for my $perm (0111,0777) { -@@ -298,16 +305,19 @@ is($created[0], $dir, "created directory (old style 3 mode undef) cross-check"); - - is(rmtree($dir, 0, undef), 1, "removed directory 3 verbose undef"); - --$dir = catdir($tmp_base,'G'); --$dir = VMS::Filespec::unixify($dir) if $Is_VMS; -+SKIP: { -+ skip "fchmod of directories not supported on this platform", 3 unless $fchmod_supported; -+ $dir = catdir($tmp_base,'G'); -+ $dir = VMS::Filespec::unixify($dir) if $Is_VMS; - --@created = mkpath($dir, undef, 0200); -+ @created = mkpath($dir, undef, 0400); - --is(scalar(@created), 1, "created write-only dir"); -+ is(scalar(@created), 1, "created read-only dir"); - --is($created[0], $dir, "created write-only directory cross-check"); -+ is($created[0], $dir, "created read-only directory cross-check"); - --is(rmtree($dir), 1, "removed write-only dir"); -+ is(rmtree($dir), 1, "removed read-only dir"); -+} - - # borderline new-style heuristics - if (chdir $tmp_base) { -@@ -449,26 +459,28 @@ SKIP: { - } - - SKIP : { -- my $skip_count = 19; -+ my $skip_count = 18; - # this test will fail on Windows, as per: - # http://perldoc.perl.org/perlport.html#chmod - - skip "Windows chmod test skipped", $skip_count - if $^O eq 'MSWin32'; -+ skip "fchmod() on directories is not supported on this platform", $skip_count -+ unless $fchmod_supported; - my $mode; - my $octal_mode; - my @inputs = ( -- 0777, 0700, 0070, 0007, -- 0333, 0300, 0030, 0003, -- 0111, 0100, 0010, 0001, -- 0731, 0713, 0317, 0371, 0173, 0137, -- 00 ); -+ 0777, 0700, 0470, 0407, -+ 0433, 0400, 0430, 0403, -+ 0111, 0100, 0110, 0101, -+ 0731, 0713, 0317, 0371, -+ 0173, 0137); - my $input; - my $octal_input; -- $dir = catdir($tmp_base, 'chmod_test'); - - foreach (@inputs) { - $input = $_; -+ $dir = catdir($tmp_base, sprintf("chmod_test%04o", $input)); - # We can skip from here because 0 is last in the list. - skip "Mode of 0 means assume user defaults on VMS", 1 - if ($input == 0 && $Is_VMS); --- -2.9.4 - diff --git a/perl-File-Path.spec b/perl-File-Path.spec index 0932173..965f0b4 100644 --- a/perl-File-Path.spec +++ b/perl-File-Path.spec @@ -1,23 +1,18 @@ Name: perl-File-Path -Version: 2.12 -Release: 393%{?dist} +Version: 2.13 +Release: 1%{?dist} Summary: Create or remove directory trees License: GPL+ or Artistic -Group: Development/Libraries URL: http://search.cpan.org/dist/File-Path/ -Source0: http://www.cpan.org/authors/id/R/RI/RICHE/File-Path-%{version}.tar.gz -# Fix CVE-2017-6512 (setting arbitrary mode on an arbitrary file in rmtree() -# and remove_tree()), bug #1457834, CPAN RT#121951, in upstream 2.13 -Patch0: File-Path-2.12-Prevent-directory-chmod-race-attack.patch +Source0: http://www.cpan.org/authors/id/J/JK/JKEENAN/File-Path-%{version}.tar.gz BuildArch: noarch BuildRequires: coreutils BuildRequires: findutils BuildRequires: make BuildRequires: perl BuildRequires: perl-generators -BuildRequires: perl(ExtUtils::MakeMaker) +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76 BuildRequires: perl(strict) -# ExtUtils::MakeMaker::Coverage not used # Run-time: BuildRequires: perl(Carp) BuildRequires: perl(Cwd) @@ -29,11 +24,13 @@ BuildRequires: perl(vars) # Tests: BuildRequires: perl(base) BuildRequires: perl(Config) +BuildRequires: perl(Errno) BuildRequires: perl(Fcntl) BuildRequires: perl(File::Spec::Functions) BuildRequires: perl(lib) BuildRequires: perl(SelectSaver) -BuildRequires: perl(Test::More) +# Test::More version from Test::Simple in META +BuildRequires: perl(Test::More) >= 0.44 BuildRequires: perl(warnings) Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) Requires: perl(Carp) @@ -44,15 +41,13 @@ depth and to delete an entire directory subtree from the file system. %prep %setup -q -n File-Path-%{version} -%patch0 -p1 %build -perl Makefile.PL INSTALLDIRS=vendor +perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 make %{?_smp_mflags} %install make pure_install DESTDIR=$RPM_BUILD_ROOT -find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} \; %{_fixperms} $RPM_BUILD_ROOT/* %check @@ -64,6 +59,9 @@ make test %{_mandir}/man3/* %changelog +* Mon Jun 05 2017 Petr Pisar <[email protected]> - 2.13-1 +- 2.13 bump + * Sat Jun 03 2017 Jitka Plesnikova <[email protected]> - 2.12-393 - Perl 5.26 rebuild diff --git a/sources b/sources index bb90422..11cb791 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -75e983ccb2523bd16af93582de10443c File-Path-2.12.tar.gz +SHA512 (File-Path-2.13.tar.gz) = 9684737947bd46a3a4a1bd5f04b712d69cb08c3c6a2801c1017d2a796946162d8121bc614408cbdbb4749d2cdacfd5279ee4db11797e3053efef1d1ec7012562 -- cgit v1.1 https://src.fedoraproject.org/cgit/perl-File-Path.git/commit/?h=master&id=1a2f3f14943b509268ac90bac5683cc9a5ff23a2 _______________________________________________ perl-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
