diff options
-rw-r--r-- | gnu/local.mk | 5 | ||||
-rw-r--r-- | gnu/packages/patches/perl-CVE-2015-8607.patch | 68 | ||||
-rw-r--r-- | gnu/packages/patches/perl-CVE-2016-2381.patch | 116 | ||||
-rw-r--r-- | gnu/packages/patches/perl-no-build-time.patch | 26 | ||||
-rw-r--r-- | gnu/packages/patches/perl-reproducible-build-date.patch | 17 | ||||
-rw-r--r-- | gnu/packages/patches/perl-source-date-epoch.patch | 19 | ||||
-rw-r--r-- | gnu/packages/perl.scm | 9 |
7 files changed, 21 insertions, 239 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 314f40bad1..9fc5067e7b 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -695,8 +695,6 @@ dist_patch_DATA = \ %D%/packages/patches/patch-hurd-path-max.patch \ %D%/packages/patches/pcre-CVE-2016-3191.patch \ %D%/packages/patches/pcre2-CVE-2016-3191.patch \ - %D%/packages/patches/perl-CVE-2015-8607.patch \ - %D%/packages/patches/perl-CVE-2016-2381.patch \ %D%/packages/patches/perl-autosplit-default-time.patch \ %D%/packages/patches/perl-deterministic-ordering.patch \ %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \ @@ -705,10 +703,9 @@ dist_patch_DATA = \ %D%/packages/patches/perl-net-amazon-s3-moose-warning.patch \ %D%/packages/patches/perl-net-ssleay-disable-ede-test.patch \ %D%/packages/patches/perl-net-dns-resolver-programmable-Fix-broken-interface.patch \ - %D%/packages/patches/perl-no-build-time.patch \ %D%/packages/patches/perl-no-sys-dirs.patch \ %D%/packages/patches/perl-module-pluggable-search.patch \ - %D%/packages/patches/perl-source-date-epoch.patch \ + %D%/packages/patches/perl-reproducible-build-date.patch \ %D%/packages/patches/pidgin-add-search-path.patch \ %D%/packages/patches/pinball-const-fix.patch \ %D%/packages/patches/pinball-cstddef.patch \ diff --git a/gnu/packages/patches/perl-CVE-2015-8607.patch b/gnu/packages/patches/perl-CVE-2015-8607.patch deleted file mode 100644 index 4c25d41740..0000000000 --- a/gnu/packages/patches/perl-CVE-2015-8607.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 3a629609084d147838368262171b923f0770e564 Mon Sep 17 00:00:00 2001 -From: Tony Cook <tony@develop-help.com> -Date: Tue, 15 Dec 2015 10:56:54 +1100 -Subject: ensure File::Spec::canonpath() preserves taint - -Previously the unix specific XS implementation of canonpath() would -return an untainted path when supplied a tainted path. - -For the empty string case, newSVpvs() already sets taint as needed on -its result. - -This issue was assigned CVE-2015-8607. - -Bug: https://rt.perl.org/Ticket/Display.html?id=126862 -Bug-Debian: https://bugs.debian.org/810719 -Origin: upstream -Patch-Name: fixes/CVE-2015-8607_file_spec_taint_fix.diff ---- - dist/PathTools/Cwd.xs | 1 + - dist/PathTools/t/taint.t | 19 ++++++++++++++++++- - 2 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs -index 9d4dcf0..3d018dc 100644 ---- a/dist/PathTools/Cwd.xs -+++ b/dist/PathTools/Cwd.xs -@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path) - *o = 0; - SvPOK_on(retval); - SvCUR_set(retval, o - SvPVX(retval)); -+ SvTAINT(retval); - return retval; - } - -diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t -index 309b3e5..48f8c5b 100644 ---- a/dist/PathTools/t/taint.t -+++ b/dist/PathTools/t/taint.t -@@ -12,7 +12,7 @@ use Test::More; - BEGIN { - plan( - ${^TAINT} -- ? (tests => 17) -+ ? (tests => 21) - : (skip_all => "A perl without taint support") - ); - } -@@ -34,3 +34,20 @@ foreach my $func (@Functions) { - - # Previous versions of Cwd tainted $^O - is !tainted($^O), 1, "\$^O should not be tainted"; -+ -+{ -+ # [perl #126862] canonpath() loses taint -+ my $tainted = substr($ENV{PATH}, 0, 0); -+ # yes, getcwd()'s result should be tainted, and is tested above -+ # but be sure -+ ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)), -+ "canonpath() keeps taint on non-empty string"; -+ ok tainted(File::Spec->canonpath($tainted)), -+ "canonpath() keeps taint on empty string"; -+ -+ (Cwd::getcwd() =~ /^(.*)/); -+ my $untainted = $1; -+ ok !tainted($untainted), "make sure our untainted value is untainted"; -+ ok !tainted(File::Spec->canonpath($untainted)), -+ "canonpath() doesn't add taint to untainted string"; -+} diff --git a/gnu/packages/patches/perl-CVE-2016-2381.patch b/gnu/packages/patches/perl-CVE-2016-2381.patch deleted file mode 100644 index 99d1944a5d..0000000000 --- a/gnu/packages/patches/perl-CVE-2016-2381.patch +++ /dev/null @@ -1,116 +0,0 @@ -Fix CVE-2016-2381 (ambiguous handling of duplicated environment variables). - -Copied from upstream: -http://perl5.git.perl.org/perl.git/commit/ae37b791a73a9e78dedb89fb2429d2628cf58076 - -References: -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381 -http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html -https://security-tracker.debian.org/tracker/CVE-2016-2381 - ---- - -From 1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 Mon Sep 17 00:00:00 2001 -From: Tony Cook <tony@develop-help.com> -Date: Wed, 27 Jan 2016 11:52:15 +1100 -Subject: remove duplicate environment variables from environ - -If we see duplicate environment variables while iterating over -environ[]: - -a) make sure we use the same value in %ENV that getenv() returns. - -Previously on a duplicate, %ENV would have the last entry for the name -from environ[], but a typical getenv() would return the first entry. - -Rather than assuming all getenv() implementations return the first entry -explicitly call getenv() to ensure they agree. - -b) remove duplicate entries from environ - -Previously if there was a duplicate definition for a name in environ[] -setting that name in %ENV could result in an unsafe value being passed -to a child process, so ensure environ[] has no duplicates. - -Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff ---- - perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 49 insertions(+), 2 deletions(-) - -diff --git a/perl.c b/perl.c -index 67d32ce..26aeb91 100644 ---- a/perl.c -+++ b/perl.c -@@ -4277,23 +4277,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env) - } - if (env) { - char *s, *old_var; -+ STRLEN nlen; - SV *sv; -+ HV *dups = newHV(); -+ - for (; *env; env++) { - old_var = *env; - - if (!(s = strchr(old_var,'=')) || s == old_var) - continue; -+ nlen = s - old_var; - - #if defined(MSDOS) && !defined(DJGPP) - *s = '\0'; - (void)strupr(old_var); - *s = '='; - #endif -- sv = newSVpv(s+1, 0); -- (void)hv_store(hv, old_var, s - old_var, sv, 0); -+ if (hv_exists(hv, old_var, nlen)) { -+ const char *name = savepvn(old_var, nlen); -+ -+ /* make sure we use the same value as getenv(), otherwise code that -+ uses getenv() (like setlocale()) might see a different value to %ENV -+ */ -+ sv = newSVpv(PerlEnv_getenv(name), 0); -+ -+ /* keep a count of the dups of this name so we can de-dup environ later */ -+ if (hv_exists(dups, name, nlen)) -+ ++SvIVX(*hv_fetch(dups, name, nlen, 0)); -+ else -+ (void)hv_store(dups, name, nlen, newSViv(1), 0); -+ -+ Safefree(name); -+ } -+ else { -+ sv = newSVpv(s+1, 0); -+ } -+ (void)hv_store(hv, old_var, nlen, sv, 0); - if (env_is_not_environ) - mg_set(sv); - } -+ if (HvKEYS(dups)) { -+ /* environ has some duplicate definitions, remove them */ -+ HE *entry; -+ hv_iterinit(dups); -+ while ((entry = hv_iternext_flags(dups, 0))) { -+ STRLEN nlen; -+ const char *name = HePV(entry, nlen); -+ IV count = SvIV(HeVAL(entry)); -+ IV i; -+ SV **valp = hv_fetch(hv, name, nlen, 0); -+ -+ assert(valp); -+ -+ /* try to remove any duplicate names, depending on the -+ * implementation used in my_setenv() the iteration might -+ * not be necessary, but let's be safe. -+ */ -+ for (i = 0; i < count; ++i) -+ my_setenv(name, 0); -+ -+ /* and set it back to the value we set $ENV{name} to */ -+ my_setenv(name, SvPV_nolen(*valp)); -+ } -+ } -+ SvREFCNT_dec_NN(dups); - } - #endif /* USE_ENVIRON_ARRAY */ - #endif /* !PERL_MICRO */ diff --git a/gnu/packages/patches/perl-no-build-time.patch b/gnu/packages/patches/perl-no-build-time.patch deleted file mode 100644 index 5d78e8f462..0000000000 --- a/gnu/packages/patches/perl-no-build-time.patch +++ /dev/null @@ -1,26 +0,0 @@ -Do not record the configuration and build time so that builds can be -reproduced bit-for-bit. - ---- perl-5.22.0/Configure 1970-01-01 01:00:00.000000000 +0100 -+++ perl-5.22.0/Configure 2015-12-13 00:14:43.148165080 +0100 -@@ -3834,6 +3817,7 @@ esac - - : who configured the system - cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1` -+cf_time='Thu Jan 1 00:00:01 UTC 1970' - case "$cf_by" in - "") - cf_by=`(logname) 2>/dev/null` - ---- perl-5.22.0/perl.c 2015-12-13 00:25:30.269156627 +0100 -+++ perl-5.22.0/perl.c 2015-12-13 00:25:38.265218175 +0100 -@@ -1795,7 +1795,7 @@ S_Internals_V(pTHX_ CV *cv) - PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options, - sizeof(non_bincompat_options) - 1, SVs_TEMP)); - --#ifdef __DATE__ -+#if 0 - # ifdef __TIME__ - PUSHs(Perl_newSVpvn_flags(aTHX_ - STR_WITH_LEN("Compiled at " __DATE__ " " __TIME__), - diff --git a/gnu/packages/patches/perl-reproducible-build-date.patch b/gnu/packages/patches/perl-reproducible-build-date.patch new file mode 100644 index 0000000000..d5bd25dbfb --- /dev/null +++ b/gnu/packages/patches/perl-reproducible-build-date.patch @@ -0,0 +1,17 @@ +Don't encode the current timestamp. + +This affects the output of `perl -V`, specifically the message "Compiled +at [...]". + +diff --git a/perl.c b/perl.c +index 228a0d8..ed38313 100644 +--- a/perl.c ++++ b/perl.c +@@ -1825,6 +1825,7 @@ S_Internals_V(pTHX_ CV *cv) + PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options, + sizeof(non_bincompat_options) - 1, SVs_TEMP)); + ++#define PERL_BUILD_DATE "Jan 1 1970 00:00:00" + #ifndef PERL_BUILD_DATE + # ifdef __DATE__ + # ifdef __TIME__ diff --git a/gnu/packages/patches/perl-source-date-epoch.patch b/gnu/packages/patches/perl-source-date-epoch.patch deleted file mode 100644 index 37330c9537..0000000000 --- a/gnu/packages/patches/perl-source-date-epoch.patch +++ /dev/null @@ -1,19 +0,0 @@ -Adapted from <https://bugs.debian.org/801621>. -Make Pod::Man honor the SOURCE_DATE_EPOCH environment variable. - ---- perl-5.22.0/cpan/podlators/lib/Pod/Man.pm 2015-12-12 22:33:03.321787590 +0100 -+++ perl-5.22.0/cpan/podlators/lib/Pod/Man.pm 2015-12-12 22:36:33.367361338 +0100 -@@ -884,7 +884,12 @@ sub devise_date { - my ($self) = @_; - my $input = $self->source_filename; - my $time; -- if ($input) { -+ -+ if (defined($ENV{SOURCE_DATE_EPOCH}) && -+ $ENV{SOURCE_DATE_EPOCH} !~ /\D/) { -+ $time = $ENV{SOURCE_DATE_EPOCH}; -+ } -+ elsif ($input) { - $time = (stat $input)[9] || time; - } else { - $time = time; diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm index aef92f4b79..0a26e51dfc 100644 --- a/gnu/packages/perl.scm +++ b/gnu/packages/perl.scm @@ -44,22 +44,19 @@ ;; Yeah, Perl... It is required early in the bootstrap process by Linux. (package (name "perl") - (version "5.22.1") + (version "5.24.0") (source (origin (method url-fetch) (uri (string-append "http://www.cpan.org/src/5.0/perl-" version ".tar.gz")) (sha256 (base32 - "09wg24w5syyafyv87l6z8pxwz4bjgcdj996bx5844k6m9445sirb")) + "00jj8zr8fnihrxxhl8h936ssczv5x86qb618yz1ig40d1rp0qhvy")) (patches (search-patches "perl-no-sys-dirs.patch" "perl-autosplit-default-time.patch" - "perl-source-date-epoch.patch" "perl-deterministic-ordering.patch" - "perl-no-build-time.patch" - "perl-CVE-2015-8607.patch" - "perl-CVE-2016-2381.patch")))) + "perl-reproducible-build-date.patch")))) (build-system gnu-build-system) (arguments '(#:tests? #f |