summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk5
-rw-r--r--gnu/packages/patches/perl-CVE-2015-8607.patch68
-rw-r--r--gnu/packages/patches/perl-CVE-2016-2381.patch116
-rw-r--r--gnu/packages/patches/perl-no-build-time.patch26
-rw-r--r--gnu/packages/patches/perl-reproducible-build-date.patch17
-rw-r--r--gnu/packages/patches/perl-source-date-epoch.patch19
-rw-r--r--gnu/packages/perl.scm9
7 files changed, 21 insertions, 239 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 314f40bad1..9fc5067e7b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -695,8 +695,6 @@ dist_patch_DATA = \
%D%/packages/patches/patch-hurd-path-max.patch \
%D%/packages/patches/pcre-CVE-2016-3191.patch \
%D%/packages/patches/pcre2-CVE-2016-3191.patch \
- %D%/packages/patches/perl-CVE-2015-8607.patch \
- %D%/packages/patches/perl-CVE-2016-2381.patch \
%D%/packages/patches/perl-autosplit-default-time.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \
%D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
@@ -705,10 +703,9 @@ dist_patch_DATA = \
%D%/packages/patches/perl-net-amazon-s3-moose-warning.patch \
%D%/packages/patches/perl-net-ssleay-disable-ede-test.patch \
%D%/packages/patches/perl-net-dns-resolver-programmable-Fix-broken-interface.patch \
- %D%/packages/patches/perl-no-build-time.patch \
%D%/packages/patches/perl-no-sys-dirs.patch \
%D%/packages/patches/perl-module-pluggable-search.patch \
- %D%/packages/patches/perl-source-date-epoch.patch \
+ %D%/packages/patches/perl-reproducible-build-date.patch \
%D%/packages/patches/pidgin-add-search-path.patch \
%D%/packages/patches/pinball-const-fix.patch \
%D%/packages/patches/pinball-cstddef.patch \
diff --git a/gnu/packages/patches/perl-CVE-2015-8607.patch b/gnu/packages/patches/perl-CVE-2015-8607.patch
deleted file mode 100644
index 4c25d41740..0000000000
--- a/gnu/packages/patches/perl-CVE-2015-8607.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 3a629609084d147838368262171b923f0770e564 Mon Sep 17 00:00:00 2001
-From: Tony Cook <tony@develop-help.com>
-Date: Tue, 15 Dec 2015 10:56:54 +1100
-Subject: ensure File::Spec::canonpath() preserves taint
-
-Previously the unix specific XS implementation of canonpath() would
-return an untainted path when supplied a tainted path.
-
-For the empty string case, newSVpvs() already sets taint as needed on
-its result.
-
-This issue was assigned CVE-2015-8607.
-
-Bug: https://rt.perl.org/Ticket/Display.html?id=126862
-Bug-Debian: https://bugs.debian.org/810719
-Origin: upstream
-Patch-Name: fixes/CVE-2015-8607_file_spec_taint_fix.diff
----
- dist/PathTools/Cwd.xs | 1 +
- dist/PathTools/t/taint.t | 19 ++++++++++++++++++-
- 2 files changed, 19 insertions(+), 1 deletion(-)
-
-diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs
-index 9d4dcf0..3d018dc 100644
---- a/dist/PathTools/Cwd.xs
-+++ b/dist/PathTools/Cwd.xs
-@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path)
- *o = 0;
- SvPOK_on(retval);
- SvCUR_set(retval, o - SvPVX(retval));
-+ SvTAINT(retval);
- return retval;
- }
-
-diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t
-index 309b3e5..48f8c5b 100644
---- a/dist/PathTools/t/taint.t
-+++ b/dist/PathTools/t/taint.t
-@@ -12,7 +12,7 @@ use Test::More;
- BEGIN {
- plan(
- ${^TAINT}
-- ? (tests => 17)
-+ ? (tests => 21)
- : (skip_all => "A perl without taint support")
- );
- }
-@@ -34,3 +34,20 @@ foreach my $func (@Functions) {
-
- # Previous versions of Cwd tainted $^O
- is !tainted($^O), 1, "\$^O should not be tainted";
-+
-+{
-+ # [perl #126862] canonpath() loses taint
-+ my $tainted = substr($ENV{PATH}, 0, 0);
-+ # yes, getcwd()'s result should be tainted, and is tested above
-+ # but be sure
-+ ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)),
-+ "canonpath() keeps taint on non-empty string";
-+ ok tainted(File::Spec->canonpath($tainted)),
-+ "canonpath() keeps taint on empty string";
-+
-+ (Cwd::getcwd() =~ /^(.*)/);
-+ my $untainted = $1;
-+ ok !tainted($untainted), "make sure our untainted value is untainted";
-+ ok !tainted(File::Spec->canonpath($untainted)),
-+ "canonpath() doesn't add taint to untainted string";
-+}
diff --git a/gnu/packages/patches/perl-CVE-2016-2381.patch b/gnu/packages/patches/perl-CVE-2016-2381.patch
deleted file mode 100644
index 99d1944a5d..0000000000
--- a/gnu/packages/patches/perl-CVE-2016-2381.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-Fix CVE-2016-2381 (ambiguous handling of duplicated environment variables).
-
-Copied from upstream:
-http://perl5.git.perl.org/perl.git/commit/ae37b791a73a9e78dedb89fb2429d2628cf58076
-
-References:
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
-http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html
-https://security-tracker.debian.org/tracker/CVE-2016-2381
-
----
-
-From 1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 Mon Sep 17 00:00:00 2001
-From: Tony Cook <tony@develop-help.com>
-Date: Wed, 27 Jan 2016 11:52:15 +1100
-Subject: remove duplicate environment variables from environ
-
-If we see duplicate environment variables while iterating over
-environ[]:
-
-a) make sure we use the same value in %ENV that getenv() returns.
-
-Previously on a duplicate, %ENV would have the last entry for the name
-from environ[], but a typical getenv() would return the first entry.
-
-Rather than assuming all getenv() implementations return the first entry
-explicitly call getenv() to ensure they agree.
-
-b) remove duplicate entries from environ
-
-Previously if there was a duplicate definition for a name in environ[]
-setting that name in %ENV could result in an unsafe value being passed
-to a child process, so ensure environ[] has no duplicates.
-
-Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff
----
- perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 49 insertions(+), 2 deletions(-)
-
-diff --git a/perl.c b/perl.c
-index 67d32ce..26aeb91 100644
---- a/perl.c
-+++ b/perl.c
-@@ -4277,23 +4277,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env)
- }
- if (env) {
- char *s, *old_var;
-+ STRLEN nlen;
- SV *sv;
-+ HV *dups = newHV();
-+
- for (; *env; env++) {
- old_var = *env;
-
- if (!(s = strchr(old_var,'=')) || s == old_var)
- continue;
-+ nlen = s - old_var;
-
- #if defined(MSDOS) && !defined(DJGPP)
- *s = '\0';
- (void)strupr(old_var);
- *s = '=';
- #endif
-- sv = newSVpv(s+1, 0);
-- (void)hv_store(hv, old_var, s - old_var, sv, 0);
-+ if (hv_exists(hv, old_var, nlen)) {
-+ const char *name = savepvn(old_var, nlen);
-+
-+ /* make sure we use the same value as getenv(), otherwise code that
-+ uses getenv() (like setlocale()) might see a different value to %ENV
-+ */
-+ sv = newSVpv(PerlEnv_getenv(name), 0);
-+
-+ /* keep a count of the dups of this name so we can de-dup environ later */
-+ if (hv_exists(dups, name, nlen))
-+ ++SvIVX(*hv_fetch(dups, name, nlen, 0));
-+ else
-+ (void)hv_store(dups, name, nlen, newSViv(1), 0);
-+
-+ Safefree(name);
-+ }
-+ else {
-+ sv = newSVpv(s+1, 0);
-+ }
-+ (void)hv_store(hv, old_var, nlen, sv, 0);
- if (env_is_not_environ)
- mg_set(sv);
- }
-+ if (HvKEYS(dups)) {
-+ /* environ has some duplicate definitions, remove them */
-+ HE *entry;
-+ hv_iterinit(dups);
-+ while ((entry = hv_iternext_flags(dups, 0))) {
-+ STRLEN nlen;
-+ const char *name = HePV(entry, nlen);
-+ IV count = SvIV(HeVAL(entry));
-+ IV i;
-+ SV **valp = hv_fetch(hv, name, nlen, 0);
-+
-+ assert(valp);
-+
-+ /* try to remove any duplicate names, depending on the
-+ * implementation used in my_setenv() the iteration might
-+ * not be necessary, but let's be safe.
-+ */
-+ for (i = 0; i < count; ++i)
-+ my_setenv(name, 0);
-+
-+ /* and set it back to the value we set $ENV{name} to */
-+ my_setenv(name, SvPV_nolen(*valp));
-+ }
-+ }
-+ SvREFCNT_dec_NN(dups);
- }
- #endif /* USE_ENVIRON_ARRAY */
- #endif /* !PERL_MICRO */
diff --git a/gnu/packages/patches/perl-no-build-time.patch b/gnu/packages/patches/perl-no-build-time.patch
deleted file mode 100644
index 5d78e8f462..0000000000
--- a/gnu/packages/patches/perl-no-build-time.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-Do not record the configuration and build time so that builds can be
-reproduced bit-for-bit.
-
---- perl-5.22.0/Configure 1970-01-01 01:00:00.000000000 +0100
-+++ perl-5.22.0/Configure 2015-12-13 00:14:43.148165080 +0100
-@@ -3834,6 +3817,7 @@ esac
-
- : who configured the system
- cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1`
-+cf_time='Thu Jan 1 00:00:01 UTC 1970'
- case "$cf_by" in
- "")
- cf_by=`(logname) 2>/dev/null`
-
---- perl-5.22.0/perl.c 2015-12-13 00:25:30.269156627 +0100
-+++ perl-5.22.0/perl.c 2015-12-13 00:25:38.265218175 +0100
-@@ -1795,7 +1795,7 @@ S_Internals_V(pTHX_ CV *cv)
- PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options,
- sizeof(non_bincompat_options) - 1, SVs_TEMP));
-
--#ifdef __DATE__
-+#if 0
- # ifdef __TIME__
- PUSHs(Perl_newSVpvn_flags(aTHX_
- STR_WITH_LEN("Compiled at " __DATE__ " " __TIME__),
-
diff --git a/gnu/packages/patches/perl-reproducible-build-date.patch b/gnu/packages/patches/perl-reproducible-build-date.patch
new file mode 100644
index 0000000000..d5bd25dbfb
--- /dev/null
+++ b/gnu/packages/patches/perl-reproducible-build-date.patch
@@ -0,0 +1,17 @@
+Don't encode the current timestamp.
+
+This affects the output of `perl -V`, specifically the message "Compiled
+at [...]".
+
+diff --git a/perl.c b/perl.c
+index 228a0d8..ed38313 100644
+--- a/perl.c
++++ b/perl.c
+@@ -1825,6 +1825,7 @@ S_Internals_V(pTHX_ CV *cv)
+ PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options,
+ sizeof(non_bincompat_options) - 1, SVs_TEMP));
+
++#define PERL_BUILD_DATE "Jan 1 1970 00:00:00"
+ #ifndef PERL_BUILD_DATE
+ # ifdef __DATE__
+ # ifdef __TIME__
diff --git a/gnu/packages/patches/perl-source-date-epoch.patch b/gnu/packages/patches/perl-source-date-epoch.patch
deleted file mode 100644
index 37330c9537..0000000000
--- a/gnu/packages/patches/perl-source-date-epoch.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Adapted from <https://bugs.debian.org/801621>.
-Make Pod::Man honor the SOURCE_DATE_EPOCH environment variable.
-
---- perl-5.22.0/cpan/podlators/lib/Pod/Man.pm 2015-12-12 22:33:03.321787590 +0100
-+++ perl-5.22.0/cpan/podlators/lib/Pod/Man.pm 2015-12-12 22:36:33.367361338 +0100
-@@ -884,7 +884,12 @@ sub devise_date {
- my ($self) = @_;
- my $input = $self->source_filename;
- my $time;
-- if ($input) {
-+
-+ if (defined($ENV{SOURCE_DATE_EPOCH}) &&
-+ $ENV{SOURCE_DATE_EPOCH} !~ /\D/) {
-+ $time = $ENV{SOURCE_DATE_EPOCH};
-+ }
-+ elsif ($input) {
- $time = (stat $input)[9] || time;
- } else {
- $time = time;
diff --git a/gnu/packages/perl.scm b/gnu/packages/perl.scm
index aef92f4b79..0a26e51dfc 100644
--- a/gnu/packages/perl.scm
+++ b/gnu/packages/perl.scm
@@ -44,22 +44,19 @@
;; Yeah, Perl... It is required early in the bootstrap process by Linux.
(package
(name "perl")
- (version "5.22.1")
+ (version "5.24.0")
(source (origin
(method url-fetch)
(uri (string-append "http://www.cpan.org/src/5.0/perl-"
version ".tar.gz"))
(sha256
(base32
- "09wg24w5syyafyv87l6z8pxwz4bjgcdj996bx5844k6m9445sirb"))
+ "00jj8zr8fnihrxxhl8h936ssczv5x86qb618yz1ig40d1rp0qhvy"))
(patches (search-patches
"perl-no-sys-dirs.patch"
"perl-autosplit-default-time.patch"
- "perl-source-date-epoch.patch"
"perl-deterministic-ordering.patch"
- "perl-no-build-time.patch"
- "perl-CVE-2015-8607.patch"
- "perl-CVE-2016-2381.patch"))))
+ "perl-reproducible-build-date.patch"))))
(build-system gnu-build-system)
(arguments
'(#:tests? #f