|
|
@@ -1,29 +1,30 @@
|
|
|
-"A security hole has been discovered in Safe.pm. When a Safe compartment
|
|
|
-has already been used, there's no guarantee that it's safe any longer,
|
|
|
-because there's a way for code executed within the Safe compartment to
|
|
|
-alter its operation mask. (Thus, programs that use a Safe compartment
|
|
|
-only once aren't affected by this bug.)"
|
|
|
+By default, the "vendor" area is not used, so Perl's installation
|
|
|
+procedure forgot to create its top-level paths, too. In OpenPKG we use
|
|
|
+the "vendor" area, so make sure it is created the same way the "site"
|
|
|
+area is.
|
|
|
|
|
|
---- ext/Opcode/Safe.pm.orig
|
|
|
-+++ ext/Opcode/Safe.pm
|
|
|
-@@ -213,7 +213,7 @@
|
|
|
- # Create anon sub ref in root of compartment.
|
|
|
- # Uses a closure (on $expr) to pass in the code to be executed.
|
|
|
- # (eval on one line to keep line numbers as expected by caller)
|
|
|
-- my $evalcode = sprintf('package %s; sub { eval $expr; }', $root);
|
|
|
-+ my $evalcode = sprintf('package %s; sub { @_ = (); eval $expr; }', $root);
|
|
|
- my $evalsub;
|
|
|
-
|
|
|
- if ($strict) { use strict; $evalsub = eval $evalcode; }
|
|
|
-@@ -227,7 +227,7 @@
|
|
|
- my $root = $obj->{Root};
|
|
|
-
|
|
|
- my $evalsub = eval
|
|
|
-- sprintf('package %s; sub { do $file }', $root);
|
|
|
-+ sprintf('package %s; sub { @_ = (); do $file }', $root);
|
|
|
- return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
|
|
|
- }
|
|
|
+Index: installperl
|
|
|
+--- installperl.orig 2003-09-02 15:40:21.000000000 +0200
|
|
|
++++ installperl 2003-09-26 09:23:15.000000000 +0200
|
|
|
+@@ -188,6 +188,8 @@
|
|
|
+ my $installarchlib = "$destdir$Config{installarchlib}";
|
|
|
+ my $installsitelib = "$destdir$Config{installsitelib}";
|
|
|
+ my $installsitearch = "$destdir$Config{installsitearch}";
|
|
|
++my $installvendorlib = "$destdir$Config{installvendorlib}";
|
|
|
++my $installvendorarch = "$destdir$Config{installvendorarch}";
|
|
|
+ my $installman1dir = "$destdir$Config{installman1dir}";
|
|
|
+ my $man1ext = $Config{man1ext};
|
|
|
+ my $libperl = $Config{libperl};
|
|
|
+@@ -378,6 +380,8 @@
|
|
|
+ mkpath($installarchlib, $verbose, 0777);
|
|
|
+ mkpath($installsitelib, $verbose, 0777) if ($installsitelib);
|
|
|
+ mkpath($installsitearch, $verbose, 0777) if ($installsitearch);
|
|
|
++mkpath($installvendorlib, $verbose, 0777) if ($installvendorlib);
|
|
|
++mkpath($installvendorarch, $verbose, 0777) if ($installvendorarch);
|
|
|
|
|
|
+ if (chdir "lib") {
|
|
|
+ $do_installarchlib = ! samepath($installarchlib, '.');
|
|
|
+
|
|
|
-----------------------------------------------------------------------------
|
|
|
|
|
|
By default, the Perl module search order is "use lib, -I, PERL[5]LIB,
|
|
|
@@ -34,14 +35,15 @@ versions distributed with Perl (in "perl" area). Hence, we change
|
|
|
the search order to a more reasonable one for OpenPKG: "use lib, -I,
|
|
|
PERL[5]LIB, site, vendor, perl, other".
|
|
|
|
|
|
---- perl.c.orig 2002-07-09 21:41:43.000000000 +0200
|
|
|
-+++ perl.c 2003-09-03 14:08:25.000000000 +0200
|
|
|
-@@ -3679,39 +3679,6 @@
|
|
|
- incpush(APPLLIB_EXP, TRUE, TRUE);
|
|
|
+Index: perl.c
|
|
|
+--- perl.c.orig 2003-09-11 23:42:33.000000000 +0200
|
|
|
++++ perl.c 2003-09-26 09:25:11.000000000 +0200
|
|
|
+@@ -3949,39 +3949,6 @@
|
|
|
+ incpush(APPLLIB_EXP, TRUE, TRUE, TRUE);
|
|
|
#endif
|
|
|
|
|
|
-#ifdef ARCHLIB_EXP
|
|
|
-- incpush(ARCHLIB_EXP, FALSE, FALSE);
|
|
|
+- incpush(ARCHLIB_EXP, FALSE, FALSE, TRUE);
|
|
|
-#endif
|
|
|
-#ifdef MACOS_TRADITIONAL
|
|
|
- {
|
|
|
@@ -54,34 +56,34 @@ PERL[5]LIB, site, vendor, perl, other".
|
|
|
-
|
|
|
- Perl_sv_setpvf(aTHX_ privdir, "%slib:", macperl);
|
|
|
- if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode))
|
|
|
-- incpush(SvPVX(privdir), TRUE, FALSE);
|
|
|
+- incpush(SvPVX(privdir), TRUE, FALSE, TRUE);
|
|
|
- Perl_sv_setpvf(aTHX_ privdir, "%ssite_perl:", macperl);
|
|
|
- if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode))
|
|
|
-- incpush(SvPVX(privdir), TRUE, FALSE);
|
|
|
+- incpush(SvPVX(privdir), TRUE, FALSE, TRUE);
|
|
|
-
|
|
|
- SvREFCNT_dec(privdir);
|
|
|
- }
|
|
|
- if (!PL_tainting)
|
|
|
-- incpush(":", FALSE, FALSE);
|
|
|
+- incpush(":", FALSE, FALSE, TRUE);
|
|
|
-#else
|
|
|
-#ifndef PRIVLIB_EXP
|
|
|
-# define PRIVLIB_EXP "/usr/local/lib/perl5:/usr/local/lib/perl"
|
|
|
-#endif
|
|
|
-#if defined(WIN32)
|
|
|
-- incpush(PRIVLIB_EXP, TRUE, FALSE);
|
|
|
+- incpush(PRIVLIB_EXP, TRUE, FALSE, TRUE);
|
|
|
-#else
|
|
|
-- incpush(PRIVLIB_EXP, FALSE, FALSE);
|
|
|
+- incpush(PRIVLIB_EXP, FALSE, FALSE, TRUE);
|
|
|
-#endif
|
|
|
-
|
|
|
#ifdef SITEARCH_EXP
|
|
|
/* sitearch is always relative to sitelib on Windows for
|
|
|
* DLL-based path intuition to work correctly */
|
|
|
-@@ -3752,6 +3719,39 @@
|
|
|
- incpush(PERL_VENDORLIB_STEM, FALSE, TRUE);
|
|
|
+@@ -4023,6 +3990,39 @@
|
|
|
+ incpush(PERL_VENDORLIB_STEM, FALSE, TRUE, TRUE);
|
|
|
#endif
|
|
|
|
|
|
+#ifdef ARCHLIB_EXP
|
|
|
-+ incpush(ARCHLIB_EXP, FALSE, FALSE);
|
|
|
++ incpush(ARCHLIB_EXP, FALSE, FALSE, TRUE);
|
|
|
+#endif
|
|
|
+#ifdef MACOS_TRADITIONAL
|
|
|
+ {
|
|
|
@@ -94,85 +96,25 @@ PERL[5]LIB, site, vendor, perl, other".
|
|
|
+
|
|
|
+ Perl_sv_setpvf(aTHX_ privdir, "%slib:", macperl);
|
|
|
+ if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode))
|
|
|
-+ incpush(SvPVX(privdir), TRUE, FALSE);
|
|
|
++ incpush(SvPVX(privdir), TRUE, FALSE, TRUE);
|
|
|
+ Perl_sv_setpvf(aTHX_ privdir, "%ssite_perl:", macperl);
|
|
|
+ if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode))
|
|
|
-+ incpush(SvPVX(privdir), TRUE, FALSE);
|
|
|
++ incpush(SvPVX(privdir), TRUE, FALSE, TRUE);
|
|
|
+
|
|
|
+ SvREFCNT_dec(privdir);
|
|
|
+ }
|
|
|
+ if (!PL_tainting)
|
|
|
-+ incpush(":", FALSE, FALSE);
|
|
|
++ incpush(":", FALSE, FALSE, TRUE);
|
|
|
+#else
|
|
|
+#ifndef PRIVLIB_EXP
|
|
|
+# define PRIVLIB_EXP "/usr/local/lib/perl5:/usr/local/lib/perl"
|
|
|
+#endif
|
|
|
+#if defined(WIN32)
|
|
|
-+ incpush(PRIVLIB_EXP, TRUE, FALSE);
|
|
|
++ incpush(PRIVLIB_EXP, TRUE, FALSE, TRUE);
|
|
|
+#else
|
|
|
-+ incpush(PRIVLIB_EXP, FALSE, FALSE);
|
|
|
++ incpush(PRIVLIB_EXP, FALSE, FALSE, TRUE);
|
|
|
+#endif
|
|
|
+
|
|
|
#ifdef PERL_OTHERLIBDIRS
|
|
|
- incpush(PERL_OTHERLIBDIRS, TRUE, TRUE);
|
|
|
+ incpush(PERL_OTHERLIBDIRS, TRUE, TRUE, TRUE);
|
|
|
#endif
|
|
|
-
|
|
|
------------------------------------------------------------------------------
|
|
|
-
|
|
|
-By default, the "vendor" area is not used, so Perl's installation
|
|
|
-procedure forgot to create its top-level paths, too. In OpenPKG we use
|
|
|
-the "vendor" area, so make sure it is created the same way the "site"
|
|
|
-area is.
|
|
|
-
|
|
|
---- installperl.orig 2002-07-16 20:57:32.000000000 +0200
|
|
|
-+++ installperl 2003-09-03 14:27:11.000000000 +0200
|
|
|
-@@ -174,6 +174,8 @@
|
|
|
- my $installarchlib = $Config{installarchlib};
|
|
|
- my $installsitelib = $Config{installsitelib};
|
|
|
- my $installsitearch = $Config{installsitearch};
|
|
|
-+my $installvendorlib = $Config{installvendorlib};
|
|
|
-+my $installvendorarch = $Config{installvendorarch};
|
|
|
- my $installman1dir = $Config{installman1dir};
|
|
|
- my $man1ext = $Config{man1ext};
|
|
|
- my $libperl = $Config{libperl};
|
|
|
-@@ -336,6 +338,8 @@
|
|
|
- mkpath($installarchlib, $verbose, 0777);
|
|
|
- mkpath($installsitelib, $verbose, 0777) if ($installsitelib);
|
|
|
- mkpath($installsitearch, $verbose, 0777) if ($installsitearch);
|
|
|
-+mkpath($installvendorlib, $verbose, 0777) if ($installvendorlib);
|
|
|
-+mkpath($installvendorarch, $verbose, 0777) if ($installvendorarch);
|
|
|
-
|
|
|
- if (chdir "lib") {
|
|
|
- $do_installarchlib = ! samepath($installarchlib, '.');
|
|
|
-
|
|
|
------------------------------------------------------------------------------
|
|
|
-
|
|
|
-http://stein.cshl.org/WWW/software/CGI/
|
|
|
- under "Revision History" find "Fixed cross-site scripting bug
|
|
|
- reported by obscure" note attached to Version 2.94. A quick fix was
|
|
|
- introduced in 2.94. It was replaced by a more careful patch in 2.99.
|
|
|
-
|
|
|
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615
|
|
|
- Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm
|
|
|
- allows remote attackers to insert web script via a URL that is fed
|
|
|
- into the form's action parameter
|
|
|
-
|
|
|
-This is a backport of the 2.99 patch for 2.81 which is the version
|
|
|
-embedded with perl 5.8.0
|
|
|
-
|
|
|
---- lib/CGI.pm.orig 2003-09-15 14:09:34.000000000 +0200
|
|
|
-+++ lib/CGI.pm 2003-09-15 14:16:26.000000000 +0200
|
|
|
-@@ -1533,8 +1533,11 @@
|
|
|
- $enctype = $enctype || &URL_ENCODED;
|
|
|
- unless (defined $action) {
|
|
|
- $action = $self->url(-absolute=>1,-path=>1);
|
|
|
-- $action .= "?$ENV{QUERY_STRING}" if $ENV{QUERY_STRING};
|
|
|
-+ if (length($ENV{QUERY_STRING})>0) {
|
|
|
-+ $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
|
|
|
-+ }
|
|
|
- }
|
|
|
-+ $action = escape($action);
|
|
|
- $action = qq(action="$action");
|
|
|
- my($other) = @other ? " @other" : '';
|
|
|
- $self->{'.parametersToAdd'}={};
|
|
|
-
|
