Sākums Izpētīt Palīdzība
Pierakstīties
openpkg
/
openpkg-packages
Vērot 2
Pievienot zvaigznīti 0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0
Koks: 0b1c923d74
Atzari Tagi
openpkg-pack...
/
perl
/
perl.patch

perl.patch 6.2 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179 
  1. "A security hole has been discovered in Safe.pm. When a Safe compartment
    2. 

  2. has already been used, there's no guarantee that it's safe any longer,
    3. 

  3. because there's a way for code executed within the Safe compartment to
    4. 

  4. alter its operation mask. (Thus, programs that use a Safe compartment
    5. 

  5. only once aren't affected by this bug.)"
    6. 

  6. 

  7. --- ext/Opcode/Safe.pm.orig
    8. 

  8. +++ ext/Opcode/Safe.pm
    9. 

  9. @@ -213,7 +213,7 @@
    10. 

  10.      # Create anon sub ref in root of compartment.
    11. 

  11.      # Uses a closure (on $expr) to pass in the code to be executed.
    12. 

  12.      # (eval on one line to keep line numbers as expected by caller)
    13. 

  13. -	my $evalcode = sprintf('package %s; sub { eval $expr; }', $root);
    14. 

  14. +	my $evalcode = sprintf('package %s; sub { @_ = (); eval $expr; }', $root);
    15. 

  15.      my $evalsub;
    16. 

  16.  
    17. 

  17.  	if ($strict) { use strict; $evalsub = eval $evalcode; }
    18. 

  18. @@ -227,7 +227,7 @@
    19. 

  19.      my $root = $obj->{Root};
    20. 

  20.  
    21. 

  21.      my $evalsub = eval
    22. 

  22. -	    sprintf('package %s; sub { do $file }', $root);
    23. 

  23. +	    sprintf('package %s; sub { @_ = (); do $file }', $root);
    24. 

  24.      return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
    25. 

  25.  }
    26. 

  26.  
    27. 

  27. -----------------------------------------------------------------------------
    28. 

  28. 

  29. By default, the Perl module search order is "use lib, -I, PERL[5]LIB,
    30. 

  30. perl, site, vendor, other". This means that in OpenPKG both the modules
    31. 

  31. installed via CPAN shell (in "site" area) and the "perl-xxx" packages
    32. 

  32. (in "vendor" area) cannot override the (sometimes obsoleted) module
    33. 

  33. versions distributed with Perl (in "perl" area). Hence, we change
    34. 

  34. the search order to a more reasonable one for OpenPKG: "use lib, -I,
    35. 

  35. PERL[5]LIB, site, vendor, perl, other".
    36. 

  36. 

  37. --- perl.c.orig	2002-07-09 21:41:43.000000000 +0200
    38. 

  38. +++ perl.c	2003-09-03 14:08:25.000000000 +0200
    39. 

  39. @@ -3679,39 +3679,6 @@
    40. 

  40.      incpush(APPLLIB_EXP, TRUE, TRUE);
    41. 

  41.  #endif
    42. 

  42.  
    43. 

  43. -#ifdef ARCHLIB_EXP
    44. 

  44. -    incpush(ARCHLIB_EXP, FALSE, FALSE);
    45. 

  45. -#endif
    46. 

  46. -#ifdef MACOS_TRADITIONAL
    47. 

  47. -    {
    48. 

  48. -	Stat_t tmpstatbuf;
    49. 

  49. -    	SV * privdir = NEWSV(55, 0);
    50. 

  50. -	char * macperl = PerlEnv_getenv("MACPERL");
    51. 

  51. -	
    52. 

  52. -	if (!macperl)
    53. 

  53. -	    macperl = "";
    54. 

  54. -	
    55. 

  55. -	Perl_sv_setpvf(aTHX_ privdir, "%slib:", macperl);
    56. 

  56. -	if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode))
    57. 

  57. -	    incpush(SvPVX(privdir), TRUE, FALSE);
    58. 

  58. -	Perl_sv_setpvf(aTHX_ privdir, "%ssite_perl:", macperl);
    59. 

  59. -	if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode))
    60. 

  60. -	    incpush(SvPVX(privdir), TRUE, FALSE);
    61. 

  61. -	
    62. 

  62. -   	SvREFCNT_dec(privdir);
    63. 

  63. -    }
    64. 

  64. -    if (!PL_tainting)
    65. 

  65. -	incpush(":", FALSE, FALSE);
    66. 

  66. -#else
    67. 

  67. -#ifndef PRIVLIB_EXP
    68. 

  68. -#  define PRIVLIB_EXP "/usr/local/lib/perl5:/usr/local/lib/perl"
    69. 

  69. -#endif
    70. 

  70. -#if defined(WIN32)
    71. 

  71. -    incpush(PRIVLIB_EXP, TRUE, FALSE);
    72. 

  72. -#else
    73. 

  73. -    incpush(PRIVLIB_EXP, FALSE, FALSE);
    74. 

  74. -#endif
    75. 

  75. -
    76. 

  76.  #ifdef SITEARCH_EXP
    77. 

  77.      /* sitearch is always relative to sitelib on Windows for
    78. 

  78.       * DLL-based path intuition to work correctly */
    79. 

  79. @@ -3752,6 +3719,39 @@
    80. 

  80.      incpush(PERL_VENDORLIB_STEM, FALSE, TRUE);
    81. 

  81.  #endif
    82. 

  82.  
    83. 

  83. +#ifdef ARCHLIB_EXP
    84. 

  84. +    incpush(ARCHLIB_EXP, FALSE, FALSE);
    85. 

  85. +#endif
    86. 

  86. +#ifdef MACOS_TRADITIONAL
    87. 

  87. +    {
    88. 

  88. +	Stat_t tmpstatbuf;
    89. 

  89. +    	SV * privdir = NEWSV(55, 0);
    90. 

  90. +	char * macperl = PerlEnv_getenv("MACPERL");
    91. 

  91. +	
    92. 

  92. +	if (!macperl)
    93. 

  93. +	    macperl = "";
    94. 

  94. +	
    95. 

  95. +	Perl_sv_setpvf(aTHX_ privdir, "%slib:", macperl);
    96. 

  96. +	if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode))
    97. 

  97. +	    incpush(SvPVX(privdir), TRUE, FALSE);
    98. 

  98. +	Perl_sv_setpvf(aTHX_ privdir, "%ssite_perl:", macperl);
    99. 

  99. +	if (PerlLIO_stat(SvPVX(privdir), &tmpstatbuf) >= 0 && S_ISDIR(tmpstatbuf.st_mode))
    100. 

  100. +	    incpush(SvPVX(privdir), TRUE, FALSE);
    101. 

  101. +	
    102. 

  102. +   	SvREFCNT_dec(privdir);
    103. 

  103. +    }
    104. 

  104. +    if (!PL_tainting)
    105. 

  105. +	incpush(":", FALSE, FALSE);
    106. 

  106. +#else
    107. 

  107. +#ifndef PRIVLIB_EXP
    108. 

  108. +#  define PRIVLIB_EXP "/usr/local/lib/perl5:/usr/local/lib/perl"
    109. 

  109. +#endif
    110. 

  110. +#if defined(WIN32)
    111. 

  111. +    incpush(PRIVLIB_EXP, TRUE, FALSE);
    112. 

  112. +#else
    113. 

  113. +    incpush(PRIVLIB_EXP, FALSE, FALSE);
    114. 

  114. +#endif
    115. 

  115. +
    116. 

  116.  #ifdef PERL_OTHERLIBDIRS
    117. 

  117.      incpush(PERL_OTHERLIBDIRS, TRUE, TRUE);
    118. 

  118.  #endif
    119. 

  119. 

  120. -----------------------------------------------------------------------------
    121. 

  121. 

  122. By default, the "vendor" area is not used, so Perl's installation
    123. 

  123. procedure forgot to create its top-level paths, too. In OpenPKG we use
    124. 

  124. the "vendor" area, so make sure it is created the same way the "site"
    125. 

  125. area is.
    126. 

  126. 

  127. --- installperl.orig	2002-07-16 20:57:32.000000000 +0200
    128. 

  128. +++ installperl	2003-09-03 14:27:11.000000000 +0200
    129. 

  129. @@ -174,6 +174,8 @@
    130. 

  130.  my $installarchlib = $Config{installarchlib};
    131. 

  131.  my $installsitelib = $Config{installsitelib};
    132. 

  132.  my $installsitearch = $Config{installsitearch};
    133. 

  133. +my $installvendorlib = $Config{installvendorlib};
    134. 

  134. +my $installvendorarch = $Config{installvendorarch};
    135. 

  135.  my $installman1dir = $Config{installman1dir};
    136. 

  136.  my $man1ext = $Config{man1ext};
    137. 

  137.  my $libperl = $Config{libperl};
    138. 

  138. @@ -336,6 +338,8 @@
    139. 

  139.  mkpath($installarchlib, $verbose, 0777);
    140. 

  140.  mkpath($installsitelib, $verbose, 0777) if ($installsitelib);
    141. 

  141.  mkpath($installsitearch, $verbose, 0777) if ($installsitearch);
    142. 

  142. +mkpath($installvendorlib, $verbose, 0777) if ($installvendorlib);
    143. 

  143. +mkpath($installvendorarch, $verbose, 0777) if ($installvendorarch);
    144. 

  144.  
    145. 

  145.  if (chdir "lib") {
    146. 

  146.      $do_installarchlib = ! samepath($installarchlib, '.');
    147. 

  147.  
    148. 

  148. -----------------------------------------------------------------------------
    149. 

  149. 

  150. http://stein.cshl.org/WWW/software/CGI/
    151. 

  151.     under "Revision History" find "Fixed cross-site scripting bug
    152. 

  152.     reported by obscure" note attached to Version 2.94. A quick fix was
    153. 

  153.     introduced in 2.94. It was replaced by a more careful patch in 2.99.
    154. 

  154. 

  155. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615
    156. 

  156.     Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm
    157. 

  157.     allows remote attackers to insert web script via a URL that is fed
    158. 

  158.     into the form's action parameter
    159. 

  159. 

  160. This is a backport of the 2.99 patch for 2.81 which is the version
    161. 

  161. embedded with perl 5.8.0
    162. 

  162. 

  163. --- lib/CGI.pm.orig	2003-09-15 14:09:34.000000000 +0200
    164. 

  164. +++ lib/CGI.pm	2003-09-15 14:16:26.000000000 +0200
    165. 

  165. @@ -1533,8 +1533,11 @@
    166. 

  166.      $enctype = $enctype || &URL_ENCODED;
    167. 

  167.      unless (defined $action) {
    168. 

  168.         $action = $self->url(-absolute=>1,-path=>1);
    169. 

  169. -       $action .= "?$ENV{QUERY_STRING}" if $ENV{QUERY_STRING};
    170. 

  170. +       if (length($ENV{QUERY_STRING})>0) {
    171. 

  171. +           $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
    172. 

  172. +       }
    173. 

  173.      }
    174. 

  174. +    $action = escape($action);
    175. 

  175.      $action = qq(action="$action");
    176. 

  176.      my($other) = @other ? " @other" : '';
    177. 

  177.      $self->{'.parametersToAdd'}={};
    178. 

  178. 

  179.