diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..96a1a5d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/Storable-3.15.tar.gz diff --git a/.perl-Storable.metadata b/.perl-Storable.metadata new file mode 100644 index 0000000..db4c03c --- /dev/null +++ b/.perl-Storable.metadata @@ -0,0 +1 @@ +dfd5ef17f9cdca7c246a90cbde7948e4c0168670 SOURCES/Storable-3.15.tar.gz diff --git a/SOURCES/Storable-3.15-Upgrade-to-3.21.patch b/SOURCES/Storable-3.15-Upgrade-to-3.21.patch new file mode 100644 index 0000000..4cdf10f --- /dev/null +++ b/SOURCES/Storable-3.15-Upgrade-to-3.21.patch @@ -0,0 +1,476 @@ +From 0452589669aed9ad06940de7c1620b340608868a Mon Sep 17 00:00:00 2001 +From: Jitka Plesnikova +Date: Mon, 1 Jun 2020 12:58:11 +0200 +Subject: [PATCH] Upgrade to 3.21 + +--- + ChangeLog | 33 ++++++++++++++++++- + MANIFEST | 3 +- + Makefile.PL | 59 +++++++++++++--------------------- + __Storable__.pm => Storable.pm | 23 +++++++------ + Storable.pm.PL | 35 -------------------- + Storable.xs | 20 ++++++++---- + stacksize | 2 +- + t/attach_errors.t | 2 +- + t/huge.t | 4 +-- + t/recurse.t | 4 +-- + t/regexp.t | 8 ++--- + 11 files changed, 93 insertions(+), 100 deletions(-) + rename __Storable__.pm => Storable.pm (99%) + delete mode 100644 Storable.pm.PL + +diff --git a/ChangeLog b/ChangeLog +index 0488199..bf35381 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,34 @@ ++2010-01-27 10:27:00 TonyC ++ version 3.20 ++ * fix a format string and arguments for some debugging text ++ * linkify references to alternatives to Storable ++ ++2020-01-27 11:01:00 TonyC ++ version 3.19 ++ * add casts to match some I32 parameters to "%d" formats (#17339) ++ * fix dependencies in Makefile.PL -> META (#17422) ++ * make use of note() optional, this requires a newer version of ++ Test::More and there's a circular dependency between later ++ versions of Test::More and Storable (#17422) ++ ++2019-11-19 07:59:39 TonyC ++ version 3.18 ++ * update bug tracker to point at github (#17298) ++ * disallow vstring magic strings over 2GB-1 (#17306) ++ * mark some ASCII dependent tests as ASCII platform only ++ ++2019-08-08 11:48:00 TonyC ++ version 3.17 ++ * correct a data type to ensure the check for too large results from ++ STORABLE_freeze() are detected correctly (detected by Coverity) ++ * removed remains of stack size detection from the build process. ++ * moved CAN_FLOCK detection into XS to simplify the build process. ++ ++2019-06-11 10:43:00 TonyC ++ version 3.16 ++ * (perl #134179) fix self-referencing structures that include regexps ++ * bless regexps to preserve bless qr//, "Foo" ++ + 2019-04-23 16:00:00 xsawyerx + version 3.15 + * Fix leaking. +@@ -341,7 +372,7 @@ Sat Mar 13 20:11:03 GMT 2004 Nicholas Clark + Version 2.11 + + 1. Storing restricted hashes in canonical order would SEGV. Fixed. +- 2. It was impossible to retrieve references to PL_sv_no and and ++ 2. It was impossible to retrieve references to PL_sv_no and + PL_sv_undef from STORABLE_thaw hooks. + 3. restrict.t was failing on 5.8.0, due to 5.8.0's unique + implementation of restricted hashes using PL_sv_undef +diff --git a/MANIFEST b/MANIFEST +index d30b94e..5e382d9 100644 +--- a/MANIFEST ++++ b/MANIFEST +@@ -1,4 +1,3 @@ +-__Storable__.pm + ChangeLog + hints/gnukfreebsd.pl + hints/gnuknetbsd.pl +@@ -11,7 +10,7 @@ META.yml Module meta-data (added by MakeMaker) + ppport.h + README + stacksize +-Storable.pm.PL ++Storable.pm + Storable.xs + t/attach.t + t/attach_errors.t +diff --git a/Makefile.PL b/Makefile.PL +index 4a39125..e03e141 100644 +--- a/Makefile.PL ++++ b/Makefile.PL +@@ -10,43 +10,48 @@ use strict; + use warnings; + use ExtUtils::MakeMaker 6.31; + use Config; +-use File::Copy qw(move copy); +-use File::Spec; +- +-my $pm = { 'Storable.pm' => '$(INST_ARCHLIB)/Storable.pm' }; + + WriteMakefile( + NAME => 'Storable', + AUTHOR => 'Perl 5 Porters', + LICENSE => 'perl', + DISTNAME => "Storable", +-# We now ship this in t/ +-# PREREQ_PM => { 'Test::More' => '0.41' }, +- PL_FILES => { }, # prevent default behaviour +- PM => $pm, +- PREREQ_PM => { XSLoader => 0 }, ++ PREREQ_PM => ++ { ++ XSLoader => 0, ++ }, ++ ( $ExtUtils::MakeMaker::VERSION >= 6.64 ? ++ ( ++ CONFIGURE_REQUIRES => { ++ 'ExtUtils::MakeMaker' => '6.31', ++ }, ++ BUILD_REQUIRES => { ++ 'ExtUtils::MakeMaker' => '6.31', ++ }, ++ TEST_REQUIRES => { ++ 'Test::More' => '0.41', ++ }, ++ ) ++ : () ), + INSTALLDIRS => ($] >= 5.007 && $] < 5.012) ? 'perl' : 'site', +- VERSION_FROM => '__Storable__.pm', +- ABSTRACT_FROM => '__Storable__.pm', ++ VERSION_FROM => 'Storable.pm', ++ ABSTRACT_FROM => 'Storable.pm', + ($ExtUtils::MakeMaker::VERSION > 6.45 ? + (META_MERGE => { resources => +- { bugtracker => 'http://rt.perl.org/perlbug/' }, ++ { bugtracker => 'https://github.com/Perl/perl5/issues' }, + provides => { + 'Storable' => { +- file => '__Storable__.pm', +- version => MM->parse_version('__Storable__.pm'), ++ file => 'Storable.pm', ++ version => MM->parse_version('Storable.pm'), + }, + }, + + }, + ) : ()), + dist => { SUFFIX => 'gz', COMPRESS => 'gzip -f' }, +- clean => { FILES => 'Storable-* Storable.pm lib' }, ++ clean => { FILES => 'Storable-*' }, + ); + +-# Unlink the .pm file included with the distribution +-1 while unlink "Storable.pm"; +- + my $ivtype = $Config{ivtype}; + + # I don't know if the VMS folks ever supported long long on 5.6.x +@@ -67,16 +72,8 @@ in the Storable documentation for instructions on how to read your data. + EOM + } + +-# compute the maximum stacksize, before and after linking + package MY; + +-# FORCE finish of INST_DYNAMIC, avoid loading the old Storable (failed XS_VERSION check) +-sub xlinkext { +- my $s = shift->SUPER::linkext(@_); +- $s =~ s|( :: .*)| $1 FORCE stacksize|; +- $s +-} +- + sub depend { + " + +@@ -87,13 +84,3 @@ release : dist + git push --tags + " + } +- +-sub postamble { +-' +-all :: Storable.pm +- $(NOECHO) $(NOOP) +- +-Storable.pm :: Storable.pm.PL __Storable__.pm +- $(PERLRUN) Storable.pm.PL +-' +-} +diff --git a/__Storable__.pm b/Storable.pm +similarity index 99% +rename from __Storable__.pm +rename to Storable.pm +index 9237371..1a750f1 100644 +--- a/__Storable__.pm ++++ b/Storable.pm +@@ -8,7 +8,7 @@ + # in the README file that comes with the distribution. + # + +-require XSLoader; ++BEGIN { require XSLoader } + require Exporter; + package Storable; + +@@ -27,7 +27,9 @@ our @EXPORT_OK = qw( + + our ($canonical, $forgive_me); + +-our $VERSION = '3.15'; ++BEGIN { ++ our $VERSION = '3.21'; ++} + + our $recursion_limit; + our $recursion_limit_hash; +@@ -104,14 +106,12 @@ $Storable::flags = FLAGS_COMPAT; + $Storable::downgrade_restricted = 1; + $Storable::accept_future_minor = 1; + +-XSLoader::load('Storable'); ++BEGIN { XSLoader::load('Storable') }; + + # + # Determine whether locking is possible, but only when needed. + # + +-sub CAN_FLOCK; # TEMPLATE - replaced by Storable.pm.PL +- + sub show_file_magic { + print <>", $file) || logcroak "can't write into $file: $!"; +- unless (&CAN_FLOCK) { ++ unless (CAN_FLOCK) { + logcarp + "Storable::lock_store: fcntl/flock emulation broken on $^O"; + return undef; +@@ -410,7 +410,7 @@ sub _retrieve { + my $self; + my $da = $@; # Could be from exception handler + if ($use_locking) { +- unless (&CAN_FLOCK) { ++ unless (CAN_FLOCK) { + logcarp + "Storable::lock_store: fcntl/flock emulation broken on $^O"; + return undef; +@@ -986,6 +986,9 @@ modifying C<$Storable::recursion_limit> and + C<$Storable::recursion_limit_hash> respectively. Either can be set to + C<-1> to prevent any depth checks, though this isn't recommended. + ++If you want to test what the limits are, the F tool is ++included in the C distribution. ++ + =item * + + You can create endless loops if the things you serialize via freeze() +@@ -1224,9 +1227,9 @@ See CVE-2015-1592 and its metasploit module. + If your application requires accepting data from untrusted sources, + you are best off with a less powerful and more-likely safe + serialization format and implementation. If your data is sufficiently +-simple, Cpanel::JSON::XS, Data::MessagePack or Serial are the best +-choices and offers maximum interoperability, but note that Serial is +-unsafe by default. ++simple, L, L or L are the best ++choices and offer maximum interoperability, but note that Sereal is ++L. + + =head1 WARNING + +diff --git a/Storable.pm.PL b/Storable.pm.PL +deleted file mode 100644 +index df979c0..0000000 +--- a/Storable.pm.PL ++++ /dev/null +@@ -1,35 +0,0 @@ +-use strict; +-use warnings; +- +-use Config; +- +-my $template; +-{ # keep all the code in an external template to keep it easy to update +- local $/; +- open my $FROM, '<', '__Storable__.pm' or die $!; +- $template = <$FROM>; +- close $FROM or die $!; +-} +- +-sub CAN_FLOCK { +- return +- $Config{'d_flock'} || +- $Config{'d_fcntl_can_lock'} || +- $Config{'d_lockf'} +- ? 1 : 0; +-} +- +-my $CAN_FLOCK = CAN_FLOCK(); +- +-# populate the sub and preserve it if used outside +-$template =~ s{^sub CAN_FLOCK;.*$}{sub CAN_FLOCK { ${CAN_FLOCK} } # computed by Storable.pm.PL}m; +-# alternatively we could remove the sub +-#$template =~ s{^sub CAN_FLOCK;.*$}{}m; +-# replace local function calls to hardcoded value +-$template =~ s{&CAN_FLOCK}{${CAN_FLOCK}}g; +- +-{ +- open my $OUT, '>', 'Storable.pm' or die $!; +- print {$OUT} $template or die $!; +- close $OUT or die $!; +-} +diff --git a/Storable.xs b/Storable.xs +index e1f0b88..4c4c268 100644 +--- a/Storable.xs ++++ b/Storable.xs +@@ -104,6 +104,12 @@ + # define strEQc(s,c) memEQ(s, ("" c ""), sizeof(c)) + #endif + ++#if defined(HAS_FLOCK) || defined(FCNTL_CAN_LOCK) && defined(HAS_LOCKF) ++#define CAN_FLOCK &PL_sv_yes ++#else ++#define CAN_FLOCK &PL_sv_no ++#endif ++ + #ifdef DEBUGME + + #ifndef DASSERT +@@ -726,8 +732,8 @@ static stcxt_t *Context_ptr = NULL; + STRLEN nsz = (STRLEN) round_mgrow((x)+msiz); \ + STRLEN offset = mptr - mbase; \ + ASSERT(!cxt->membuf_ro, ("mbase is not read-only")); \ +- TRACEME(("** extending mbase from %ld to %ld bytes (wants %ld new)", \ +- (long)msiz, nsz, (long)(x))); \ ++ TRACEME(("** extending mbase from %lu to %lu bytes (wants %lu new)", \ ++ (unsigned long)msiz, (unsigned long)nsz, (unsigned long)(x))); \ + Renew(mbase, nsz, char); \ + msiz = nsz; \ + mptr = mbase + offset; \ +@@ -3085,7 +3091,7 @@ static int store_hash(pTHX_ stcxt_t *cxt, HV *hv) + len = HEK_LEN(hek); + if (len == HEf_SVKEY) { + /* This is somewhat sick, but the internal APIs are +- * such that XS code could put one of these in in ++ * such that XS code could put one of these in + * a regular hash. + * Maybe we should be capable of storing one if + * found. +@@ -3437,7 +3443,7 @@ static int get_regexp(pTHX_ stcxt_t *cxt, SV* sv, SV **re, SV **flags) { + count = call_sv((SV*)cv, G_ARRAY); + SPAGAIN; + if (count < 2) +- CROAK(("re::regexp_pattern returned only %d results", count)); ++ CROAK(("re::regexp_pattern returned only %d results", (int)count)); + *flags = POPs; + SvREFCNT_inc(*flags); + *re = POPs; +@@ -5952,7 +5958,7 @@ static SV *retrieve_lvstring(pTHX_ stcxt_t *cxt, const char *cname) + } + + New(10003, s, len+1, char); +- SAFEPVREAD(s, len, s); ++ SAFEPVREAD(s, (I32)len, s); + + sv = retrieve(aTHX_ cxt, cname); + if (!sv) { +@@ -6858,7 +6864,7 @@ static SV *retrieve_regexp(pTHX_ stcxt_t *cxt, const char *cname) { + SPAGAIN; + + if (count != 1) +- CROAK(("Bad count %d calling _make_re", count)); ++ CROAK(("Bad count %d calling _make_re", (int)count)); + + re_ref = POPs; + +@@ -7807,6 +7813,8 @@ BOOT: + newCONSTSUB(stash, "BIN_MINOR", newSViv(STORABLE_BIN_MINOR)); + newCONSTSUB(stash, "BIN_WRITE_MINOR", newSViv(STORABLE_BIN_WRITE_MINOR)); + ++ newCONSTSUB(stash, "CAN_FLOCK", CAN_FLOCK); ++ + init_perinterp(aTHX); + gv_fetchpv("Storable::drop_utf8", GV_ADDMULTI, SVt_PV); + #ifdef DEBUGME +diff --git a/stacksize b/stacksize +index f93eccc..2896684 100644 +--- a/stacksize ++++ b/stacksize +@@ -161,7 +161,7 @@ my $max_depth_hash = $n; + # instead so a user setting of either variable more closely matches + # the limits the use sees. + +-# be fairly aggressive in trimming this, smoke testing showed several ++# be fairly aggressive in trimming this, smoke testing showed + # several apparently random failures here, eg. working in one + # configuration, but not in a very similar configuration. + $max_depth = int(0.6 * $max_depth); +diff --git a/t/attach_errors.t b/t/attach_errors.t +index 0ed7c8d..e2be39d 100644 +--- a/t/attach_errors.t ++++ b/t/attach_errors.t +@@ -94,7 +94,7 @@ use Storable (); + # Error 2 + # + # If, for some reason, a STORABLE_attach object is accidentally stored +-# with references, this should be checked and and error should be throw. ++# with references, this should be checked and an error should be thrown. + + + +diff --git a/t/huge.t b/t/huge.t +index d28e238..09b173e 100644 +--- a/t/huge.t ++++ b/t/huge.t +@@ -63,7 +63,7 @@ if ($Config{ptrsize} > 4 and !$has_too_many) { + [ 'huge array', + sub { my @x; $x[$huge] = undef; \@x } ]; + } else { +- diag "skip huge array, need PERL_TEST_MEMORY >= 8"; ++ diag "skip huge array, need PERL_TEST_MEMORY >= 55"; + } + } + +@@ -78,7 +78,7 @@ if (!$has_too_many) { + ['huge hash', + sub { my %x = (0 .. $huge); \%x } ]; + } else { +- diag "skip huge hash, need PERL_TEST_MEMORY >= 16"; ++ diag "skip huge hash, need PERL_TEST_MEMORY >= 96"; + } + } + +diff --git a/t/recurse.t b/t/recurse.t +index b5967a0..6f82169 100644 +--- a/t/recurse.t ++++ b/t/recurse.t +@@ -347,7 +347,7 @@ sub MAX_DEPTH_HASH () { Storable::stack_depth_hash() } + eval { + my $t; + $t = [$t] for 1 .. MAX_DEPTH*2; +- note 'trying catching recursive aref stack overflow'; ++ eval { note('trying catching recursive aref stack overflow') }; + dclone $t; + }; + like $@, qr/Max\. recursion depth with nested structures exceeded/, +@@ -362,7 +362,7 @@ else { + my $t; + # 35.000 will cause appveyor 64bit windows to fail earlier + $t = {1=>$t} for 1 .. MAX_DEPTH * 2; +- note 'trying catching recursive href stack overflow'; ++ eval { note('trying catching recursive href stack overflow') }; + dclone $t; + }; + like $@, qr/Max\. recursion depth with nested structures exceeded/, +diff --git a/t/regexp.t b/t/regexp.t +index e7c6c7e..6c6b1d5 100644 +--- a/t/regexp.t ++++ b/t/regexp.t +@@ -123,7 +123,7 @@ __DATA__ + A-; qr(\x2E) ; ".", !"a" ; \x2E - hex meta + -; qr/\./ ; "." , !"a" ; \. - backslash meta + 8- ; qr/\x{100}/ ; "\x{100}" ; simple unicode +-12- ; qr/fss/i ; "f\xDF\x{101}" ; case insensive unicode promoted +-22-; qr/fss/ui ; "f\xDF" ; case insensitive unicode SS /iu +-22-; qr/fss/aai ; !"f\xDF" ; case insensitive unicode SS /iaa +-22-; qr/f\w/a ; "fo", !"f\xff" ; simple /a flag ++A12- ; qr/fss/i ; "f\xDF\x{101}" ; case insensive unicode promoted ++A22-; qr/fss/ui ; "f\xDF" ; case insensitive unicode SS /iu ++A22-; qr/fss/aai ; !"f\xDF" ; case insensitive unicode SS /iaa ++A22-; qr/f\w/a ; "fo", !"f\xff" ; simple /a flag +-- +2.25.4 + diff --git a/SOURCES/Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch b/SOURCES/Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch new file mode 100644 index 0000000..a4660d8 --- /dev/null +++ b/SOURCES/Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch @@ -0,0 +1,92 @@ +From 16f2ddb794883529d5a3ad8326974a07aae7e567 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Mon, 10 Jun 2019 10:17:20 +1000 +Subject: [PATCH] (perl #134179) include regexps in the seen objects table on + retrieve +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Also, bless the regexp object, so freezing/thawing bless qr//, "Foo" +returns a "Foo" blesses regexp. + +Signed-off-by: Petr Písař +--- + dist/Storable/Storable.xs | 5 +++-- + dist/Storable/t/regexp.t | 4 +++- + dist/Storable/t/weak.t | 10 +++++++++- + 3 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs +index ed729c94a6..6a45d8adf2 100644 +--- a/dist/Storable/Storable.xs ++++ b/dist/Storable/Storable.xs +@@ -6808,8 +6808,7 @@ static SV *retrieve_regexp(pTHX_ stcxt_t *cxt, const char *cname) { + SV *sv; + dSP; + I32 count; +- +- PERL_UNUSED_ARG(cname); ++ HV *stash; + + ENTER; + SAVETMPS; +@@ -6857,6 +6856,8 @@ static SV *retrieve_regexp(pTHX_ stcxt_t *cxt, const char *cname) { + + sv = SvRV(re_ref); + SvREFCNT_inc(sv); ++ stash = cname ? gv_stashpv(cname, GV_ADD) : 0; ++ SEEN_NN(sv, stash, 0); + + FREETMPS; + LEAVE; +diff --git a/dist/Storable/t/regexp.t b/dist/Storable/t/regexp.t +index acf28cfec6..e7c6c7e94a 100644 +--- a/dist/Storable/t/regexp.t ++++ b/dist/Storable/t/regexp.t +@@ -37,7 +37,7 @@ while () { + } + } + +-plan tests => 9 + 3*scalar(@tests); ++plan tests => 10 + 3*scalar(@tests); + + SKIP: + { +@@ -75,6 +75,8 @@ SKIP: + ok(!eval { dclone($re) }, "should fail to clone, even with use re 'eval'"); + } + ++is(ref(dclone(bless qr//, "Foo")), "Foo", "check reblessed regexps"); ++ + for my $test (@tests) { + my ($code, $not, $match, $matchc, $name) = @$test; + my $qr = eval $code; +diff --git a/dist/Storable/t/weak.t b/dist/Storable/t/weak.t +index 220c70160f..48752fbec4 100644 +--- a/dist/Storable/t/weak.t ++++ b/dist/Storable/t/weak.t +@@ -29,7 +29,7 @@ sub BEGIN { + } + + use Test::More 'no_plan'; +-use Storable qw (store retrieve freeze thaw nstore nfreeze); ++use Storable qw (store retrieve freeze thaw nstore nfreeze dclone); + require 'testlib.pl'; + our $file; + use strict; +@@ -143,3 +143,11 @@ foreach (@tests) { + $stored = nfreeze $input; + tester($stored, \&freeze_and_thaw, $testsub, 'network string'); + } ++ ++{ ++ # [perl #134179] sv_upgrade from type 7 down to type 1 ++ my $foo = [qr//,[]]; ++ weaken($foo->[1][0][0] = $foo->[1]); ++ my $out = dclone($foo); # croaked here ++ is_deeply($out, $foo, "check they match"); ++} +-- +2.20.1 + diff --git a/SOURCES/Storable-3.16-Storable-make-count-large-enough.patch b/SOURCES/Storable-3.16-Storable-make-count-large-enough.patch new file mode 100644 index 0000000..b2b5b40 --- /dev/null +++ b/SOURCES/Storable-3.16-Storable-make-count-large-enough.patch @@ -0,0 +1,53 @@ +From f7724052d1b8b75339f5ec2cc3d5b35ca5d130b5 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Wed, 7 Aug 2019 11:13:53 +1000 +Subject: [PATCH] Storable: make count large enough +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AvARRAY() could be very large, and we check for that at line 3807, +but int was (potentially) too small to make that comparison +meaningful. + +CID 174681. + +Signed-off-by: Petr Písař +--- + dist/Storable/Storable.xs | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs +index 6a45d8adf2..d75125b839 100644 +--- a/dist/Storable/Storable.xs ++++ b/dist/Storable/Storable.xs +@@ -3662,7 +3662,7 @@ static int store_hook( + SV *ref; + AV *av; + SV **ary; +- int count; /* really len3 + 1 */ ++ IV count; /* really len3 + 1 */ + unsigned char flags; + char *pv; + int i; +@@ -3752,7 +3752,7 @@ static int store_hook( + SvREFCNT_dec(ref); /* Reclaim temporary reference */ + + count = AvFILLp(av) + 1; +- TRACEME(("store_hook, array holds %d items", count)); ++ TRACEME(("store_hook, array holds %" IVdf " items", count)); + + /* + * If they return an empty list, it means they wish to ignore the +@@ -3986,7 +3986,7 @@ static int store_hook( + */ + + TRACEME(("SX_HOOK (recursed=%d) flags=0x%x " +- "class=%" IVdf " len=%" IVdf " len2=%" IVdf " len3=%d", ++ "class=%" IVdf " len=%" IVdf " len2=%" IVdf " len3=%" IVdf, + recursed, flags, (IV)classnum, (IV)len, (IV)len2, count-1)); + + /* SX_HOOK [] */ +-- +2.20.1 + diff --git a/SOURCES/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch b/SOURCES/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch new file mode 100644 index 0000000..e3e9819 --- /dev/null +++ b/SOURCES/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch @@ -0,0 +1,67 @@ +From ea1e86cfdf26a330e58ea377a80273de7110011b Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Wed, 21 Aug 2019 11:37:58 +1000 +Subject: [PATCH] disallow vstring magic strings over 2GB-1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +On reads this could result in buffer overflows, so avoid writing +such large vstrings to avoid causing problems for older Storable. + +Since we no longer write such large vstrings, we don't want to accept +them. + +I doubt that restricting versions strings to under 2GB-1 will have +a practical effect on downstream users. + +fixes #17306 + +Signed-off-by: Petr Písař +--- + dist/Storable/Storable.xs | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs +index c2335680ab..d27ac58012 100644 +--- a/dist/Storable/Storable.xs ++++ b/dist/Storable/Storable.xs +@@ -2628,6 +2628,12 @@ static int store_scalar(pTHX_ stcxt_t *cxt, SV *sv) + /* The macro passes this by address, not value, and a lot of + called code assumes that it's 32 bits without checking. */ + const SSize_t len = mg->mg_len; ++ /* we no longer accept vstrings over I32_SIZE-1, so don't emit ++ them, also, older Storables handle them badly. ++ */ ++ if (len >= I32_MAX) { ++ CROAK(("vstring too large to freeze")); ++ } + STORE_PV_LEN((const char *)mg->mg_ptr, + len, SX_VSTRING, SX_LVSTRING); + } +@@ -5937,12 +5943,19 @@ static SV *retrieve_lvstring(pTHX_ stcxt_t *cxt, const char *cname) + { + #ifdef SvVOK + char *s; +- I32 len; ++ U32 len; + SV *sv; + + RLEN(len); +- TRACEME(("retrieve_lvstring (#%d), len = %" IVdf, +- (int)cxt->tagnum, (IV)len)); ++ TRACEME(("retrieve_lvstring (#%d), len = %" UVuf, ++ (int)cxt->tagnum, (UV)len)); ++ ++ /* Since we'll no longer produce such large vstrings, reject them ++ here too. ++ */ ++ if (len >= I32_MAX) { ++ CROAK(("vstring too large to fetch")); ++ } + + New(10003, s, len+1, char); + SAFEPVREAD(s, len, s); +-- +2.21.0 + diff --git a/SPECS/perl-Storable.spec b/SPECS/perl-Storable.spec new file mode 100644 index 0000000..2458907 --- /dev/null +++ b/SPECS/perl-Storable.spec @@ -0,0 +1,238 @@ +%global base_version 3.15 +Name: perl-Storable +Epoch: 1 +Version: 3.21 +Release: 457%{?dist} +Summary: Persistence for Perl data structures +# Storable.pm: GPL+ or Artistic +License: GPL+ or Artistic +URL: https://metacpan.org/release/Storable +Source0: https://cpan.metacpan.org/authors/id/X/XS/XSAWYERX/Storable-%{base_version}.tar.gz +# Fix deep cloning regular expression objects, RT#134179, +# in Perl upstream after 5.31.0 +Patch0: Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch +# Fix array length check in a store hook, in Perl upstream after 5.31.2 +Patch1: Storable-3.16-Storable-make-count-large-enough.patch +# Fix a buffer overflow when processing a vstring longer than 2^31-1, +# Perl GH#17306, in perl upstream after 5.31.6 +Patch2: perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch +# Unbundled from perl 5.32.0 +Patch3: Storable-3.15-Upgrade-to-3.21.patch +BuildRequires: gcc +BuildRequires: make +BuildRequires: perl-devel +BuildRequires: perl-generators +BuildRequires: perl-interpreter +BuildRequires: perl(Config) +BuildRequires: perl(Cwd) +BuildRequires: perl(ExtUtils::MakeMaker) >= 6.76 +BuildRequires: perl(File::Copy) +BuildRequires: perl(File::Spec) >= 0.8 +BuildRequires: perl(strict) +BuildRequires: perl(warnings) +# Win32 not used on Linux +# Win32API::File not used on Linux +# Run-time: +BuildRequires: perl(Carp) +BuildRequires: perl(Exporter) +# Fcntl is optional, but locking is good +BuildRequires: perl(Fcntl) +BuildRequires: perl(IO::File) +# Log::Agent is optional +BuildRequires: perl(XSLoader) +# Tests: +BuildRequires: perl(base) +BuildRequires: perl(bytes) +BuildRequires: perl(File::Temp) +BuildRequires: perl(integer) +BuildRequires: perl(overload) +BuildRequires: perl(utf8) +BuildRequires: perl(Test::More) +BuildRequires: perl(threads) +BuildRequires: perl(Safe) +BuildRequires: perl(Scalar::Util) +BuildRequires: perl(Tie::Array) +# Optional tests: +# gzip not used +# Data::Dump not used +# Data::Dumper not used +BuildRequires: perl(B::Deparse) >= 0.61 +BuildRequires: perl(Digest::MD5) +BuildRequires: perl(Hash::Util) +# Test::LeakTrace omitted because it's not a core module requried for building +# core Storable. +BuildRequires: perl(Tie::Hash) +Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) +Requires: perl(Config) +# Fcntl is optional, but locking is good +Requires: perl(Fcntl) +Requires: perl(IO::File) + +%{?perl_default_filter} + +%description +The Storable package brings persistence to your Perl data structures +containing scalar, array, hash or reference objects, i.e. anything that +can be conveniently stored to disk and retrieved at a later time. + +%prep +%setup -q -n Storable-%{base_version} +%patch0 -p3 +%patch1 -p3 +%patch2 -p3 +%patch3 -p1 + +%build +perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 OPTIMIZE="$RPM_OPT_FLAGS" +%{make_build} + +%install +%{make_install} +find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -delete +find $RPM_BUILD_ROOT -type f -name '*.3pm' -size 0 -delete +%{_fixperms} $RPM_BUILD_ROOT/* + +%check +unset PERL_CORE PERL_TEST_MEMORY PERL_RUN_SLOW_TESTS +make test + +%files +%doc ChangeLog README +%{perl_vendorarch}/auto/* +%{perl_vendorarch}/Storable* +%{_mandir}/man3/* + +%changelog +* Tue Jul 28 2020 Fedora Release Engineering - 1:3.21-457 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jun 22 2020 Jitka Plesnikova - 1:3.21-456 +- Upgrade to 3.21 as provided in perl-5.32.0 + +* Thu Jan 30 2020 Fedora Release Engineering - 1:3.15-443 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Nov 25 2019 Petr Pisar - 1:3.15-442 +- Fix a buffer overflow when processing a vstring longer than 2^31-1 + (Perl GH#17306) + +* Thu Aug 08 2019 Petr Pisar - 1:3.15-441 +- Fix array length check in a store hook + +* Fri Jul 26 2019 Fedora Release Engineering - 1:3.15-440 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Jun 11 2019 Petr Pisar - 1:3.15-439 +- Fix deep cloning regular expression objects (RT#134179) + +* Thu May 30 2019 Jitka Plesnikova - 1:3.15-438 +- Increase release to favour standalone package + +* Wed Apr 24 2019 Petr Pisar - 1:3.15-1 +- 3.15 bump + +* Sat Feb 02 2019 Fedora Release Engineering - 1:3.11-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 07 2019 Petr Pisar - 1:3.11-6 +- Storable-3.11 source archive repackaged without a t/CVE-2015-1592.inc file + (RT#133706) + +* Mon Aug 27 2018 Petr Pisar - 1:3.11-5 +- Fix recursion check (RT#133326) + +* Fri Jul 13 2018 Fedora Release Engineering - 1:3.11-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 26 2018 Jitka Plesnikova - 1:3.11-3 +- Perl 5.28 rebuild + +* Tue Jun 05 2018 Petr Pisar - 1:3.11-2 +- Do not package empty Storable::Limit(3pm) manual page + +* Mon Apr 30 2018 Petr Pisar - 1:3.11-1 +- 3.11 bump + +* Mon Apr 23 2018 Petr Pisar - 1:3.09-1 +- 3.09 bump + +* Thu Apr 19 2018 Petr Pisar - 1:3.06-1 +- 3.06 bump + +* Fri Feb 09 2018 Fedora Release Engineering - 1:2.62-396 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 1:2.62-395 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1:2.62-394 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Jun 03 2017 Jitka Plesnikova - 1:2.62-393 +- Perl 5.26 rebuild + +* Thu May 11 2017 Petr Pisar - 1:2.62-1 +- Upgrade to 2.62 as provided in perl-5.25.12 + +* Mon Feb 06 2017 Petr Pisar - 1:2.56-368 +- Fix a stack buffer overflow in deserialization of hooks (RT#130635) +- Fix a memory leak of a class name from retrieve_hook() on an exception + (RT#130635) + +* Tue Dec 20 2016 Petr Pisar - 1:2.56-367 +- Fix crash in Storable when deserializing malformed code reference + (RT#68348, RT#130098) + +* Wed Aug 03 2016 Jitka Plesnikova - 1:2.56-366 +- Avoid loading optional modules from default . (CVE-2016-1238) + +* Sat May 14 2016 Jitka Plesnikova - 1:2.56-365 +- Increase release to favour standalone package + +* Wed May 11 2016 Jitka Plesnikova - 2.56-1 +- 2.56 bump in order to dual-live with perl 5.24 + +* Thu Feb 04 2016 Fedora Release Engineering - 1:2.53-347 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jun 18 2015 Fedora Release Engineering - 1:2.53-346 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu Jun 04 2015 Jitka Plesnikova - 1:2.53-345 +- Increase release to favour standalone package + +* Wed Jun 03 2015 Jitka Plesnikova - 1:2.53-2 +- Perl 5.22 rebuild + +* Wed May 06 2015 Petr Pisar - 1:2.53-1 +- 2.53 bump in order to dual-live with perl 5.22 + +* Wed Sep 03 2014 Jitka Plesnikova - 1:2.51-4 +- Increase Epoch to favour standalone package + +* Tue Aug 26 2014 Jitka Plesnikova - 2.51-3 +- Perl 5.20 rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 2.51-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Mon Jul 07 2014 Petr Pisar - 2.51-1 +- 2.51 bump + +* Sat Jun 07 2014 Fedora Release Engineering - 2.45-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sun Aug 04 2013 Fedora Release Engineering - 2.45-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 15 2013 Petr Pisar - 2.45-1 +- 2.45 bump + +* Fri Jul 12 2013 Petr Pisar - 2.39-3 +- Link minimal build-root packages against libperl.so explicitly + +* Tue Jun 11 2013 Petr Pisar - 2.39-2 +- Do not export private libraries + +* Fri May 24 2013 Petr Pisar 2.39-1 +- Specfile autogenerated by cpanspec 1.78.