diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..96a1a5d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/Storable-3.15.tar.gz diff --git a/.perl-Storable.metadata b/.perl-Storable.metadata new file mode 100644 index 0000000..db4c03c --- /dev/null +++ b/.perl-Storable.metadata @@ -0,0 +1 @@ +dfd5ef17f9cdca7c246a90cbde7948e4c0168670 SOURCES/Storable-3.15.tar.gz diff --git a/SOURCES/Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch b/SOURCES/Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch new file mode 100644 index 0000000..a4660d8 --- /dev/null +++ b/SOURCES/Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch @@ -0,0 +1,92 @@ +From 16f2ddb794883529d5a3ad8326974a07aae7e567 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Mon, 10 Jun 2019 10:17:20 +1000 +Subject: [PATCH] (perl #134179) include regexps in the seen objects table on + retrieve +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Also, bless the regexp object, so freezing/thawing bless qr//, "Foo" +returns a "Foo" blesses regexp. + +Signed-off-by: Petr Písař +--- + dist/Storable/Storable.xs | 5 +++-- + dist/Storable/t/regexp.t | 4 +++- + dist/Storable/t/weak.t | 10 +++++++++- + 3 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs +index ed729c94a6..6a45d8adf2 100644 +--- a/dist/Storable/Storable.xs ++++ b/dist/Storable/Storable.xs +@@ -6808,8 +6808,7 @@ static SV *retrieve_regexp(pTHX_ stcxt_t *cxt, const char *cname) { + SV *sv; + dSP; + I32 count; +- +- PERL_UNUSED_ARG(cname); ++ HV *stash; + + ENTER; + SAVETMPS; +@@ -6857,6 +6856,8 @@ static SV *retrieve_regexp(pTHX_ stcxt_t *cxt, const char *cname) { + + sv = SvRV(re_ref); + SvREFCNT_inc(sv); ++ stash = cname ? gv_stashpv(cname, GV_ADD) : 0; ++ SEEN_NN(sv, stash, 0); + + FREETMPS; + LEAVE; +diff --git a/dist/Storable/t/regexp.t b/dist/Storable/t/regexp.t +index acf28cfec6..e7c6c7e94a 100644 +--- a/dist/Storable/t/regexp.t ++++ b/dist/Storable/t/regexp.t +@@ -37,7 +37,7 @@ while () { + } + } + +-plan tests => 9 + 3*scalar(@tests); ++plan tests => 10 + 3*scalar(@tests); + + SKIP: + { +@@ -75,6 +75,8 @@ SKIP: + ok(!eval { dclone($re) }, "should fail to clone, even with use re 'eval'"); + } + ++is(ref(dclone(bless qr//, "Foo")), "Foo", "check reblessed regexps"); ++ + for my $test (@tests) { + my ($code, $not, $match, $matchc, $name) = @$test; + my $qr = eval $code; +diff --git a/dist/Storable/t/weak.t b/dist/Storable/t/weak.t +index 220c70160f..48752fbec4 100644 +--- a/dist/Storable/t/weak.t ++++ b/dist/Storable/t/weak.t +@@ -29,7 +29,7 @@ sub BEGIN { + } + + use Test::More 'no_plan'; +-use Storable qw (store retrieve freeze thaw nstore nfreeze); ++use Storable qw (store retrieve freeze thaw nstore nfreeze dclone); + require 'testlib.pl'; + our $file; + use strict; +@@ -143,3 +143,11 @@ foreach (@tests) { + $stored = nfreeze $input; + tester($stored, \&freeze_and_thaw, $testsub, 'network string'); + } ++ ++{ ++ # [perl #134179] sv_upgrade from type 7 down to type 1 ++ my $foo = [qr//,[]]; ++ weaken($foo->[1][0][0] = $foo->[1]); ++ my $out = dclone($foo); # croaked here ++ is_deeply($out, $foo, "check they match"); ++} +-- +2.20.1 + diff --git a/SOURCES/Storable-3.16-Storable-make-count-large-enough.patch b/SOURCES/Storable-3.16-Storable-make-count-large-enough.patch new file mode 100644 index 0000000..b2b5b40 --- /dev/null +++ b/SOURCES/Storable-3.16-Storable-make-count-large-enough.patch @@ -0,0 +1,53 @@ +From f7724052d1b8b75339f5ec2cc3d5b35ca5d130b5 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Wed, 7 Aug 2019 11:13:53 +1000 +Subject: [PATCH] Storable: make count large enough +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AvARRAY() could be very large, and we check for that at line 3807, +but int was (potentially) too small to make that comparison +meaningful. + +CID 174681. + +Signed-off-by: Petr Písař +--- + dist/Storable/Storable.xs | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs +index 6a45d8adf2..d75125b839 100644 +--- a/dist/Storable/Storable.xs ++++ b/dist/Storable/Storable.xs +@@ -3662,7 +3662,7 @@ static int store_hook( + SV *ref; + AV *av; + SV **ary; +- int count; /* really len3 + 1 */ ++ IV count; /* really len3 + 1 */ + unsigned char flags; + char *pv; + int i; +@@ -3752,7 +3752,7 @@ static int store_hook( + SvREFCNT_dec(ref); /* Reclaim temporary reference */ + + count = AvFILLp(av) + 1; +- TRACEME(("store_hook, array holds %d items", count)); ++ TRACEME(("store_hook, array holds %" IVdf " items", count)); + + /* + * If they return an empty list, it means they wish to ignore the +@@ -3986,7 +3986,7 @@ static int store_hook( + */ + + TRACEME(("SX_HOOK (recursed=%d) flags=0x%x " +- "class=%" IVdf " len=%" IVdf " len2=%" IVdf " len3=%d", ++ "class=%" IVdf " len=%" IVdf " len2=%" IVdf " len3=%" IVdf, + recursed, flags, (IV)classnum, (IV)len, (IV)len2, count-1)); + + /* SX_HOOK [] */ +-- +2.20.1 + diff --git a/SOURCES/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch b/SOURCES/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch new file mode 100644 index 0000000..e3e9819 --- /dev/null +++ b/SOURCES/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch @@ -0,0 +1,67 @@ +From ea1e86cfdf26a330e58ea377a80273de7110011b Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Wed, 21 Aug 2019 11:37:58 +1000 +Subject: [PATCH] disallow vstring magic strings over 2GB-1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +On reads this could result in buffer overflows, so avoid writing +such large vstrings to avoid causing problems for older Storable. + +Since we no longer write such large vstrings, we don't want to accept +them. + +I doubt that restricting versions strings to under 2GB-1 will have +a practical effect on downstream users. + +fixes #17306 + +Signed-off-by: Petr Písař +--- + dist/Storable/Storable.xs | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs +index c2335680ab..d27ac58012 100644 +--- a/dist/Storable/Storable.xs ++++ b/dist/Storable/Storable.xs +@@ -2628,6 +2628,12 @@ static int store_scalar(pTHX_ stcxt_t *cxt, SV *sv) + /* The macro passes this by address, not value, and a lot of + called code assumes that it's 32 bits without checking. */ + const SSize_t len = mg->mg_len; ++ /* we no longer accept vstrings over I32_SIZE-1, so don't emit ++ them, also, older Storables handle them badly. ++ */ ++ if (len >= I32_MAX) { ++ CROAK(("vstring too large to freeze")); ++ } + STORE_PV_LEN((const char *)mg->mg_ptr, + len, SX_VSTRING, SX_LVSTRING); + } +@@ -5937,12 +5943,19 @@ static SV *retrieve_lvstring(pTHX_ stcxt_t *cxt, const char *cname) + { + #ifdef SvVOK + char *s; +- I32 len; ++ U32 len; + SV *sv; + + RLEN(len); +- TRACEME(("retrieve_lvstring (#%d), len = %" IVdf, +- (int)cxt->tagnum, (IV)len)); ++ TRACEME(("retrieve_lvstring (#%d), len = %" UVuf, ++ (int)cxt->tagnum, (UV)len)); ++ ++ /* Since we'll no longer produce such large vstrings, reject them ++ here too. ++ */ ++ if (len >= I32_MAX) { ++ CROAK(("vstring too large to fetch")); ++ } + + New(10003, s, len+1, char); + SAFEPVREAD(s, len, s); +-- +2.21.0 + diff --git a/SPECS/perl-Storable.spec b/SPECS/perl-Storable.spec new file mode 100644 index 0000000..e0aaa8f --- /dev/null +++ b/SPECS/perl-Storable.spec @@ -0,0 +1,225 @@ +Name: perl-Storable +Epoch: 1 +Version: 3.15 +Release: 442%{?dist} +Summary: Persistence for Perl data structures +# __Storable__.pm: GPL+ or Artistic +License: GPL+ or Artistic +URL: https://metacpan.org/release/Storable +Source0: https://cpan.metacpan.org/authors/id/X/XS/XSAWYERX/Storable-%{version}.tar.gz +# Fix deep cloning regular expression objects, RT#134179, +# in Perl upstream after 5.31.0 +Patch0: Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch +# Fix array length check in a store hook, in Perl upstream after 5.31.2 +Patch1: Storable-3.16-Storable-make-count-large-enough.patch +# Fix a buffer overflow when processing a vstring longer than 2^31-1, +# Perl GH#17306, in perl upstream after 5.31.6 +Patch2: perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch +BuildRequires: gcc +BuildRequires: make +BuildRequires: perl-devel +BuildRequires: perl-generators +BuildRequires: perl-interpreter +BuildRequires: perl(Config) +BuildRequires: perl(Cwd) +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76 +BuildRequires: perl(File::Copy) +BuildRequires: perl(File::Spec) >= 0.8 +BuildRequires: perl(strict) +BuildRequires: perl(warnings) +# Win32 not used on Linux +# Win32API::File not used on Linux +# Run-time: +BuildRequires: perl(Carp) +BuildRequires: perl(Exporter) +# Fcntl is optional, but locking is good +BuildRequires: perl(Fcntl) +BuildRequires: perl(IO::File) +# Log::Agent is optional +BuildRequires: perl(XSLoader) +# Tests: +BuildRequires: perl(base) +BuildRequires: perl(bytes) +BuildRequires: perl(File::Temp) +BuildRequires: perl(integer) +BuildRequires: perl(overload) +BuildRequires: perl(utf8) +BuildRequires: perl(Test::More) +BuildRequires: perl(threads) +BuildRequires: perl(Safe) +BuildRequires: perl(Scalar::Util) +BuildRequires: perl(Tie::Array) +# Optional tests: +# gzip not used +# Data::Dump not used +# Data::Dumper not used +BuildRequires: perl(B::Deparse) >= 0.61 +BuildRequires: perl(Digest::MD5) +BuildRequires: perl(Hash::Util) +# Test::LeakTrace omitted because it's not a core module requried for building +# core Storable. +BuildRequires: perl(Tie::Hash) +Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) +Requires: perl(Config) +# Fcntl is optional, but locking is good +Requires: perl(Fcntl) +Requires: perl(IO::File) + +%{?perl_default_filter} + +%description +The Storable package brings persistence to your Perl data structures +containing scalar, array, hash or reference objects, i.e. anything that +can be conveniently stored to disk and retrieved at a later time. + +%prep +%setup -q -n Storable-%{version} +%patch0 -p3 +%patch1 -p3 +%patch2 -p3 + +%build +perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 OPTIMIZE="$RPM_OPT_FLAGS" +%{make_build} + +%install +%{make_install} +find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -delete +find $RPM_BUILD_ROOT -type f -name '*.3pm' -size 0 -delete +%{_fixperms} $RPM_BUILD_ROOT/* + +%check +unset PERL_CORE PERL_TEST_MEMORY PERL_RUN_SLOW_TESTS +make test + +%files +%doc ChangeLog README +%{perl_vendorarch}/auto/* +%{perl_vendorarch}/Storable* +%{_mandir}/man3/* + +%changelog +* Mon Nov 25 2019 Petr Pisar - 1:3.15-442 +- Fix a buffer overflow when processing a vstring longer than 2^31-1 + (Perl GH#17306) + +* Thu Aug 08 2019 Petr Pisar - 1:3.15-441 +- Fix array length check in a store hook + +* Fri Jul 26 2019 Fedora Release Engineering - 1:3.15-440 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jun 11 2019 Petr Pisar - 1:3.15-439 +- Fix deep cloning regular expression objects (RT#134179) + +* Thu May 30 2019 Jitka Plesnikova - 1:3.15-438 +- Increase release to favour standalone package + +* Wed Apr 24 2019 Petr Pisar - 1:3.15-1 +- 3.15 bump + +* Sat Feb 02 2019 Fedora Release Engineering - 1:3.11-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 07 2019 Petr Pisar - 1:3.11-6 +- Storable-3.11 source archive repackaged without a t/CVE-2015-1592.inc file + (RT#133706) + +* Mon Aug 27 2018 Petr Pisar - 1:3.11-5 +- Fix recursion check (RT#133326) + +* Fri Jul 13 2018 Fedora Release Engineering - 1:3.11-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 26 2018 Jitka Plesnikova - 1:3.11-3 +- Perl 5.28 rebuild + +* Tue Jun 05 2018 Petr Pisar - 1:3.11-2 +- Do not package empty Storable::Limit(3pm) manual page + +* Mon Apr 30 2018 Petr Pisar - 1:3.11-1 +- 3.11 bump + +* Mon Apr 23 2018 Petr Pisar - 1:3.09-1 +- 3.09 bump + +* Thu Apr 19 2018 Petr Pisar - 1:3.06-1 +- 3.06 bump + +* Fri Feb 09 2018 Fedora Release Engineering - 1:2.62-396 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 1:2.62-395 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1:2.62-394 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Jun 03 2017 Jitka Plesnikova - 1:2.62-393 +- Perl 5.26 rebuild + +* Thu May 11 2017 Petr Pisar - 1:2.62-1 +- Upgrade to 2.62 as provided in perl-5.25.12 + +* Mon Feb 06 2017 Petr Pisar - 1:2.56-368 +- Fix a stack buffer overflow in deserialization of hooks (RT#130635) +- Fix a memory leak of a class name from retrieve_hook() on an exception + (RT#130635) + +* Tue Dec 20 2016 Petr Pisar - 1:2.56-367 +- Fix crash in Storable when deserializing malformed code reference + (RT#68348, RT#130098) + +* Wed Aug 03 2016 Jitka Plesnikova - 1:2.56-366 +- Avoid loading optional modules from default . (CVE-2016-1238) + +* Sat May 14 2016 Jitka Plesnikova - 1:2.56-365 +- Increase release to favour standalone package + +* Wed May 11 2016 Jitka Plesnikova - 2.56-1 +- 2.56 bump in order to dual-live with perl 5.24 + +* Thu Feb 04 2016 Fedora Release Engineering - 1:2.53-347 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jun 18 2015 Fedora Release Engineering - 1:2.53-346 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu Jun 04 2015 Jitka Plesnikova - 1:2.53-345 +- Increase release to favour standalone package + +* Wed Jun 03 2015 Jitka Plesnikova - 1:2.53-2 +- Perl 5.22 rebuild + +* Wed May 06 2015 Petr Pisar - 1:2.53-1 +- 2.53 bump in order to dual-live with perl 5.22 + +* Wed Sep 03 2014 Jitka Plesnikova - 1:2.51-4 +- Increase Epoch to favour standalone package + +* Tue Aug 26 2014 Jitka Plesnikova - 2.51-3 +- Perl 5.20 rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 2.51-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Mon Jul 07 2014 Petr Pisar - 2.51-1 +- 2.51 bump + +* Sat Jun 07 2014 Fedora Release Engineering - 2.45-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sun Aug 04 2013 Fedora Release Engineering - 2.45-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 15 2013 Petr Pisar - 2.45-1 +- 2.45 bump + +* Fri Jul 12 2013 Petr Pisar - 2.39-3 +- Link minimal build-root packages against libperl.so explicitly + +* Tue Jun 11 2013 Petr Pisar - 2.39-2 +- Do not export private libraries + +* Fri May 24 2013 Petr Pisar 2.39-1 +- Specfile autogenerated by cpanspec 1.78.