diff --git a/SOURCES/Socket-2.029-inet_aton-Use-getaddrinfo-if-possible.patch b/SOURCES/Socket-2.029-inet_aton-Use-getaddrinfo-if-possible.patch new file mode 100644 index 0000000..124152b --- /dev/null +++ b/SOURCES/Socket-2.029-inet_aton-Use-getaddrinfo-if-possible.patch @@ -0,0 +1,66 @@ +From 0be99f8799e90eaed4e8eeb7d5be7de81dd71360 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Thu, 11 Apr 2019 18:17:16 +0200 +Subject: [PATCH] inet_aton: Use getaddrinfo() if possible +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Socket::inet_aton() used gethostbyname() to process arguments that are +not an IP addres. However, gethostbyname() is not thread-safe and when +called from multiple threads a bogus value can be returned. + +This patch does add any new test because a basic inet_aton() usage is +already covered and because reproducing the thread failure would +require flodding DNS servers with thousounds of request. + + + + +Signed-off-by: Petr Písař +--- + Socket.xs | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/Socket.xs b/Socket.xs +index e46c93e..65244dd 100644 +--- a/Socket.xs ++++ b/Socket.xs +@@ -764,19 +764,33 @@ inet_aton(host) + char * host + CODE: + { ++#ifdef HAS_GETADDRINFO ++ struct addrinfo *res; ++ struct addrinfo hints = {0,}; ++ hints.ai_family = AF_INET; ++ if (!getaddrinfo(host, NULL, &hints, &res)) { ++ ST(0) = sv_2mortal(newSVpvn( ++ (char *)&(((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr), ++ 4 ++ )); ++ freeaddrinfo(res); ++ XSRETURN(1); ++ } ++#else + struct in_addr ip_address; + struct hostent * phe; +- + if ((*host != '\0') && inet_aton(host, &ip_address)) { + ST(0) = sv_2mortal(newSVpvn((char *)&ip_address, sizeof(ip_address))); + XSRETURN(1); + } + #ifdef HAS_GETHOSTBYNAME ++ /* gethostbyname is not thread-safe */ + phe = gethostbyname(host); + if (phe && phe->h_addrtype == AF_INET && phe->h_length == 4) { + ST(0) = sv_2mortal(newSVpvn((char *)phe->h_addr, phe->h_length)); + XSRETURN(1); + } ++#endif + #endif + XSRETURN_UNDEF; + } +-- +2.20.1 + diff --git a/SPECS/perl-Socket.spec b/SPECS/perl-Socket.spec index ea76234..88eb39f 100644 --- a/SPECS/perl-Socket.spec +++ b/SPECS/perl-Socket.spec @@ -1,11 +1,13 @@ Name: perl-Socket Epoch: 4 Version: 2.027 -Release: 2%{?dist} +Release: 4%{?dist} Summary: Networking constants and support functions License: GPL+ or Artistic URL: http://search.cpan.org/dist/Socket/ Source0: http://search.cpan.org/CPAN/authors/id/P/PE/PEVANS/Socket-%{version}.tar.gz +# Make Socket::inet_aton() thread safe, CPAN RT#129189, bug #1699958 +Patch0: Socket-2.029-inet_aton-Use-getaddrinfo-if-possible.patch BuildRequires: findutils BuildRequires: gcc BuildRequires: make @@ -42,6 +44,7 @@ human-readable and native binary forms, and for hostname resolver operations. %prep %setup -q -n Socket-%{version} +%patch0 -p1 %build perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 OPTIMIZE="$RPM_OPT_FLAGS" @@ -63,6 +66,12 @@ make test %{_mandir}/man3/* %changelog +* Mon Apr 15 2019 Petr Pisar - 4:2.027-4 +- Make Socket::inet_aton() thread safe (bug #1699958) + +* Fri Mar 29 2019 Jitka Plesnikova - 4:2.027-3 +- Rebuild with enable hardening (bug #1636329) + * Fri Feb 09 2018 Fedora Release Engineering - 4:2.027-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild