openpkg
/
openpkg-packages
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8000 Commits
1 Branch
2 Tags
596 MiB
Tree: 322cd9f6db
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '322cd9f6db'
${ noResults }
openpkg-packages/perl/perl.patch

179 lines
6.2 KiB
Raw Normal View History Unescape

include security bugfix for Safe.pm
23 years ago
"A security hole has been discovered in Safe.pm. When a Safe compartment
has already been used, there's no guarantee that it's safe any longer,
because there's a way for code executed within the Safe compartment to
alter its operation mask. (Thus, programs that use a Safe compartment
only once aren't affected by this bug.)"
--- ext/Opcode/Safe.pm.orig
+++ ext/Opcode/Safe.pm
@@ -213,7 +213,7 @@
# Create anon sub ref in root of compartment.
# Uses a closure (on $expr) to pass in the code to be executed.
# (eval on one line to keep line numbers as expected by caller)
- my $evalcode = sprintf('package %s; sub { eval $expr; }', $root);
+ my $evalcode = sprintf('package %s; sub { @_ = (); eval $expr; }', $root);
my $evalsub;
if ($strict) { use strict; $evalsub = eval $evalcode; }
@@ -227,7 +227,7 @@
my $root = $obj->{Root};
my $evalsub = eval
- sprintf('package %s; sub { do $file }', $root);
+ sprintf('package %s; sub { @_ = (); do $file }', $root);
return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
}
1. By default, the Perl module search order is "use lib, -I, PERL[5]LIB, perl, site, vendor, other". This means that in OpenPKG both the modules installed via CPAN shell (in "site" area) and the "perl-xxx" packages (in "vendor" area) cannot override the (sometimes obsoleted) module versions distributed with Perl (in "perl" area). Hence, we change the search order to a more reasonable one for OpenPKG: "use lib, -I, PERL[5]LIB, site, vendor, perl, other". 2. Already activate "vendor" area, althouh it is still unused in OpenPKG. It will be soon used by the "perl-xxx" packages to make "site" area available for manual (think CPAN shell) module installations.
23 years ago
-----------------------------------------------------------------------------
By default, the Perl module search order is "use lib, -I, PERL[5]LIB,
perl, site, vendor, other". This means that in OpenPKG both the modules
installed via CPAN shell (in "site" area) and the "perl-xxx" packages
(in "vendor" area) cannot override the (sometimes obsoleted) module
versions distributed with Perl (in "perl" area). Hence, we change
the search order to a more reasonable one for OpenPKG: "use lib, -I,
PERL[5]LIB, site, vendor, perl, other".
--- perl.c.orig 2002-07-09 21:41:43.000000000 +0200
+++ perl.c 2003-09-03 14:08:25.000000000 +0200
@@ -3679,39 +3679,6 @@
incpush(APPLLIB_EXP, TRUE, TRUE);
#endif
-#ifdef ARCHLIB_EXP
- incpush(ARCHLIB_EXP, FALSE, FALSE);
-#endif
-#ifdef MACOS_TRADITIONAL
- {
- Stat_t tmpstatbuf;
- SV * privdir = NEWSV(55, 0);
- char * macperl = PerlEnv_getenv("MACPERL");
-
- if (!macperl)
- macperl = "";
-
- Perl_sv_setpvf(aTHX_ privdir, "%slib:", macperl);
- if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode))
- incpush(SvPVX(privdir), TRUE, FALSE);
- Perl_sv_setpvf(aTHX_ privdir, "%ssite_perl:", macperl);
- if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode))
- incpush(SvPVX(privdir), TRUE, FALSE);
-
- SvREFCNT_dec(privdir);
- }
- if (!PL_tainting)
- incpush(":", FALSE, FALSE);
-#else
-#ifndef PRIVLIB_EXP
-# define PRIVLIB_EXP "/usr/local/lib/perl5:/usr/local/lib/perl"
-#endif
-#if defined(WIN32)
- incpush(PRIVLIB_EXP, TRUE, FALSE);
-#else
- incpush(PRIVLIB_EXP, FALSE, FALSE);
-#endif
-
#ifdef SITEARCH_EXP
/* sitearch is always relative to sitelib on Windows for
* DLL-based path intuition to work correctly */
@@ -3752,6 +3719,39 @@
incpush(PERL_VENDORLIB_STEM, FALSE, TRUE);
#endif
+#ifdef ARCHLIB_EXP
+ incpush(ARCHLIB_EXP, FALSE, FALSE);
+#endif
+#ifdef MACOS_TRADITIONAL
+ {
+ Stat_t tmpstatbuf;
+ SV * privdir = NEWSV(55, 0);
+ char * macperl = PerlEnv_getenv("MACPERL");
+
+ if (!macperl)
+ macperl = "";
+
+ Perl_sv_setpvf(aTHX_ privdir, "%slib:", macperl);
+ if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode))
+ incpush(SvPVX(privdir), TRUE, FALSE);
+ Perl_sv_setpvf(aTHX_ privdir, "%ssite_perl:", macperl);
+ if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode))
+ incpush(SvPVX(privdir), TRUE, FALSE);
+
+ SvREFCNT_dec(privdir);
+ }
+ if (!PL_tainting)
+ incpush(":", FALSE, FALSE);
+#else
+#ifndef PRIVLIB_EXP
+# define PRIVLIB_EXP "/usr/local/lib/perl5:/usr/local/lib/perl"
+#endif
+#if defined(WIN32)
+ incpush(PRIVLIB_EXP, TRUE, FALSE);
+#else
+ incpush(PRIVLIB_EXP, FALSE, FALSE);
+#endif
+
#ifdef PERL_OTHERLIBDIRS
incpush(PERL_OTHERLIBDIRS, TRUE, TRUE);
#endif
-----------------------------------------------------------------------------
By default, the "vendor" area is not used, so Perl's installation
procedure forgot to create its top-level paths, too. In OpenPKG we use
the "vendor" area, so make sure it is created the same way the "site"
area is.
--- installperl.orig 2002-07-16 20:57:32.000000000 +0200
+++ installperl 2003-09-03 14:27:11.000000000 +0200
@@ -174,6 +174,8 @@
my $installarchlib = $Config{installarchlib};
my $installsitelib = $Config{installsitelib};
my $installsitearch = $Config{installsitearch};
+my $installvendorlib = $Config{installvendorlib};
+my $installvendorarch = $Config{installvendorarch};
my $installman1dir = $Config{installman1dir};
my $man1ext = $Config{man1ext};
my $libperl = $Config{libperl};
@@ -336,6 +338,8 @@
mkpath($installarchlib, $verbose, 0777);
mkpath($installsitelib, $verbose, 0777) if ($installsitelib);
mkpath($installsitearch, $verbose, 0777) if ($installsitearch);
+mkpath($installvendorlib, $verbose, 0777) if ($installvendorlib);
+mkpath($installvendorarch, $verbose, 0777) if ($installvendorarch);
if (chdir "lib") {
$do_installarchlib = ! samepath($installarchlib, '.');
SA-2003.039-perl; CAN-2003-0615
23 years ago
-----------------------------------------------------------------------------
http://stein.cshl.org/WWW/software/CGI/
under "Revision History" find "Fixed cross-site scripting bug
reported by obscure" note attached to Version 2.94. A quick fix was
introduced in 2.94. It was replaced by a more careful patch in 2.99.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615
Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm
allows remote attackers to insert web script via a URL that is fed
into the form's action parameter
This is a backport of the 2.99 patch for 2.81 which is the version
embedded with perl 5.8.0
--- lib/CGI.pm.orig 2003-09-15 14:09:34.000000000 +0200
+++ lib/CGI.pm 2003-09-15 14:16:26.000000000 +0200
@@ -1533,8 +1533,11 @@
$enctype = $enctype || &URL_ENCODED;
unless (defined $action) {
$action = $self->url(-absolute=>1,-path=>1);
- $action .= "?$ENV{QUERY_STRING}" if $ENV{QUERY_STRING};
+ if (length($ENV{QUERY_STRING})>0) {
+ $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
+ }
}
+ $action = escape($action);
$action = qq(action="$action");
my($other) = @other ? " @other" : '';
$self->{'.parametersToAdd'}={};