"A security hole has been discovered in Safe.pm. When a Safe compartment has already been used, there's no guarantee that it's safe any longer, because there's a way for code executed within the Safe compartment to alter its operation mask. (Thus, programs that use a Safe compartment only once aren't affected by this bug.)" --- ext/Opcode/Safe.pm.orig +++ ext/Opcode/Safe.pm @@ -213,7 +213,7 @@ # Create anon sub ref in root of compartment. # Uses a closure (on $expr) to pass in the code to be executed. # (eval on one line to keep line numbers as expected by caller) - my $evalcode = sprintf('package %s; sub { eval $expr; }', $root); + my $evalcode = sprintf('package %s; sub { @_ = (); eval $expr; }', $root); my $evalsub; if ($strict) { use strict; $evalsub = eval $evalcode; } @@ -227,7 +227,7 @@ my $root = $obj->{Root}; my $evalsub = eval - sprintf('package %s; sub { do $file }', $root); + sprintf('package %s; sub { @_ = (); do $file }', $root); return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub); } ----------------------------------------------------------------------------- By default, the Perl module search order is "use lib, -I, PERL[5]LIB, perl, site, vendor, other". This means that in OpenPKG both the modules installed via CPAN shell (in "site" area) and the "perl-xxx" packages (in "vendor" area) cannot override the (sometimes obsoleted) module versions distributed with Perl (in "perl" area). Hence, we change the search order to a more reasonable one for OpenPKG: "use lib, -I, PERL[5]LIB, site, vendor, perl, other". --- perl.c.orig 2002-07-09 21:41:43.000000000 +0200 +++ perl.c 2003-09-03 14:08:25.000000000 +0200 @@ -3679,39 +3679,6 @@ incpush(APPLLIB_EXP, TRUE, TRUE); #endif -#ifdef ARCHLIB_EXP - incpush(ARCHLIB_EXP, FALSE, FALSE); -#endif -#ifdef MACOS_TRADITIONAL - { - Stat_t tmpstatbuf; - SV * privdir = NEWSV(55, 0); - char * macperl = PerlEnv_getenv("MACPERL"); - - if (!macperl) - macperl = ""; - - Perl_sv_setpvf(aTHX_ privdir, "%slib:", macperl); - if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode)) - incpush(SvPVX(privdir), TRUE, FALSE); - Perl_sv_setpvf(aTHX_ privdir, "%ssite_perl:", macperl); - if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode)) - incpush(SvPVX(privdir), TRUE, FALSE); - - SvREFCNT_dec(privdir); - } - if (!PL_tainting) - incpush(":", FALSE, FALSE); -#else -#ifndef PRIVLIB_EXP -# define PRIVLIB_EXP "/usr/local/lib/perl5:/usr/local/lib/perl" -#endif -#if defined(WIN32) - incpush(PRIVLIB_EXP, TRUE, FALSE); -#else - incpush(PRIVLIB_EXP, FALSE, FALSE); -#endif - #ifdef SITEARCH_EXP /* sitearch is always relative to sitelib on Windows for * DLL-based path intuition to work correctly */ @@ -3752,6 +3719,39 @@ incpush(PERL_VENDORLIB_STEM, FALSE, TRUE); #endif +#ifdef ARCHLIB_EXP + incpush(ARCHLIB_EXP, FALSE, FALSE); +#endif +#ifdef MACOS_TRADITIONAL + { + Stat_t tmpstatbuf; + SV * privdir = NEWSV(55, 0); + char * macperl = PerlEnv_getenv("MACPERL"); + + if (!macperl) + macperl = ""; + + Perl_sv_setpvf(aTHX_ privdir, "%slib:", macperl); + if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode)) + incpush(SvPVX(privdir), TRUE, FALSE); + Perl_sv_setpvf(aTHX_ privdir, "%ssite_perl:", macperl); + if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode)) + incpush(SvPVX(privdir), TRUE, FALSE); + + SvREFCNT_dec(privdir); + } + if (!PL_tainting) + incpush(":", FALSE, FALSE); +#else +#ifndef PRIVLIB_EXP +# define PRIVLIB_EXP "/usr/local/lib/perl5:/usr/local/lib/perl" +#endif +#if defined(WIN32) + incpush(PRIVLIB_EXP, TRUE, FALSE); +#else + incpush(PRIVLIB_EXP, FALSE, FALSE); +#endif + #ifdef PERL_OTHERLIBDIRS incpush(PERL_OTHERLIBDIRS, TRUE, TRUE); #endif ----------------------------------------------------------------------------- By default, the "vendor" area is not used, so Perl's installation procedure forgot to create its top-level paths, too. In OpenPKG we use the "vendor" area, so make sure it is created the same way the "site" area is. --- installperl.orig 2002-07-16 20:57:32.000000000 +0200 +++ installperl 2003-09-03 14:27:11.000000000 +0200 @@ -174,6 +174,8 @@ my $installarchlib = $Config{installarchlib}; my $installsitelib = $Config{installsitelib}; my $installsitearch = $Config{installsitearch}; +my $installvendorlib = $Config{installvendorlib}; +my $installvendorarch = $Config{installvendorarch}; my $installman1dir = $Config{installman1dir}; my $man1ext = $Config{man1ext}; my $libperl = $Config{libperl}; @@ -336,6 +338,8 @@ mkpath($installarchlib, $verbose, 0777); mkpath($installsitelib, $verbose, 0777) if ($installsitelib); mkpath($installsitearch, $verbose, 0777) if ($installsitearch); +mkpath($installvendorlib, $verbose, 0777) if ($installvendorlib); +mkpath($installvendorarch, $verbose, 0777) if ($installvendorarch); if (chdir "lib") { $do_installarchlib = ! samepath($installarchlib, '.'); ----------------------------------------------------------------------------- http://stein.cshl.org/WWW/software/CGI/ under "Revision History" find "Fixed cross-site scripting bug reported by obscure" note attached to Version 2.94. A quick fix was introduced in 2.94. It was replaced by a more careful patch in 2.99. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615 Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter This is a backport of the 2.99 patch for 2.81 which is the version embedded with perl 5.8.0 --- lib/CGI.pm.orig 2003-09-15 14:09:34.000000000 +0200 +++ lib/CGI.pm 2003-09-15 14:16:26.000000000 +0200 @@ -1533,8 +1533,11 @@ $enctype = $enctype || &URL_ENCODED; unless (defined $action) { $action = $self->url(-absolute=>1,-path=>1); - $action .= "?$ENV{QUERY_STRING}" if $ENV{QUERY_STRING}; + if (length($ENV{QUERY_STRING})>0) { + $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1); + } } + $action = escape($action); $action = qq(action="$action"); my($other) = @other ? " @other" : ''; $self->{'.parametersToAdd'}={};