From e8608159fdb5b35c80f386a1ee883e8d7b05f431 Mon Sep 17 00:00:00 2001
From: CentOS Buildsys <bugs@centos.org>
Date: Mar 11 2014 10:06:00 +0000
Subject: import perltidy-20121207-3.el7.src.rpm


---

diff --git a/SOURCES/Fix-CVE-2014-2277.patch b/SOURCES/Fix-CVE-2014-2277.patch
new file mode 100644
index 0000000..c8c2c3b
--- /dev/null
+++ b/SOURCES/Fix-CVE-2014-2277.patch
@@ -0,0 +1,80 @@
+Description: Replace insecure make_temporary_filename with File::Temp::tempfile
+Forwarded: http://lists.example.com/2010/03/1234.html
+Origin: vendor, http://bugs.debian.org/740670
+Author: Don Armstrong <don@debian.org>
+Last-Update: 2010-03-29
+--- a/lib/Perl/Tidy.pm
++++ b/lib/Perl/Tidy.pm
+@@ -76,6 +76,7 @@
+ use IO::File;
+ use File::Basename;
+ use File::Copy;
++use File::Temp qw(tempfile);
+ 
+ BEGIN {
+     ( $VERSION = q($Id: Tidy.pm,v 1.74 2012/12/07 13:56:49 perltidy Exp $) ) =~ s/^.*\s+(\d+)\/(\d+)\/(\d+).*$/$1$2$3/; # all one line for MakeMaker
+@@ -235,35 +236,6 @@
+     return undef;
+ }
+ 
+-sub make_temporary_filename {
+-
+-    # Make a temporary filename.
+-    # The POSIX tmpnam() function has been unreliable for non-unix systems
+-    # (at least for the win32 systems that I've tested), so use a pre-defined
+-    # name for them.  A disadvantage of this is that two perltidy
+-    # runs in the same working directory may conflict.  However, the chance of
+-    # that is small and manageable by the user, especially on systems for which
+-    # the POSIX tmpnam function doesn't work.
+-    my $name = "perltidy.TMP";
+-    if ( $^O =~ /win32|dos/i || $^O eq 'VMS' || $^O eq 'MacOs' ) {
+-        return $name;
+-    }
+-    eval "use POSIX qw(tmpnam)";
+-    if ($@) { return $name }
+-    use IO::File;
+-
+-    # just make a couple of tries before giving up and using the default
+-    for ( 0 .. 3 ) {
+-        my $tmpname = tmpnam();
+-        my $fh = IO::File->new( $tmpname, O_RDWR | O_CREAT | O_EXCL );
+-        if ($fh) {
+-            $fh->close();
+-            return ($tmpname);
+-            last;
+-        }
+-    }
+-    return ($name);
+-}
+ 
+ # Here is a map of the flow of data from the input source to the output
+ # line sink:
+@@ -1316,11 +1288,7 @@
+             my ( $fh_stream, $fh_name ) =
+               Perl::Tidy::streamhandle( $stream, 'r' );
+             if ($fh_stream) {
+-                my ( $fout, $tmpnam );
+-
+-                # TODO: fix the tmpnam routine to return an open filehandle
+-                $tmpnam = Perl::Tidy::make_temporary_filename();
+-                $fout = IO::File->new( $tmpnam, 'w' );
++                my ( $fout, $tmpnam ) = tempfile();
+ 
+                 if ($fout) {
+                     $fname      = $tmpnam;
+@@ -5150,14 +5118,7 @@
+     # Pod::Html requires a real temporary filename
+     # If we are making a frame, we have a name available
+     # Otherwise, we have to fine one
+-    my $tmpfile;
+-    if ( $rOpts->{'frames'} ) {
+-        $tmpfile = $self->{_toc_filename};
+-    }
+-    else {
+-        $tmpfile = Perl::Tidy::make_temporary_filename();
+-    }
+-    my $fh_tmp = IO::File->new( $tmpfile, 'w' );
++    my ($fh_tmp,$tmpfile) = tempfile();
+     unless ($fh_tmp) {
+         Perl::Tidy::Warn
+           "unable to open temporary file $tmpfile; cannot use pod2html\n";
diff --git a/SPECS/perltidy.spec b/SPECS/perltidy.spec
index 6ed4a2b..a9ba5c4 100644
--- a/SPECS/perltidy.spec
+++ b/SPECS/perltidy.spec
@@ -1,11 +1,13 @@
 Name:           perltidy
 Version:        20121207
-Release:        1%{?dist}
+Release:        3%{?dist}
 Summary:        Tool for indenting and reformatting Perl scripts
 
 License:        GPLv2+
 URL:            http://perltidy.sourceforge.net/
 Source:         http://downloads.sourceforge.net/perltidy/Perl-Tidy-%{version}.tar.gz
+# Fix CVE-2014-2277 (Insecure temporary file creation)
+Patch0:         Fix-CVE-2014-2277.patch
 
 BuildArch:      noarch
 BuildRequires:  perl(ExtUtils::MakeMaker)
@@ -31,6 +33,7 @@ because it is very good at localizing errors.
 
 %prep
 %setup -q -n Perl-Tidy-%{version}
+%patch0 -p1
 rm -f docs/perltidy.1 examples/pt.bat
 f=CHANGES ; iconv -f iso-8859-1 -t utf-8 $f > $f.utf8 ; mv $f.utf8 $f
 
@@ -60,6 +63,13 @@ make test
 
 
 %changelog
+* Tue Mar 11 2014 Jitka Plesnikova <jplesnik@redhat.com> - 20121207-3
+- Resolves: rhbz#1074723 / CVE-2014-2277
+- Fix a bogus date in changelog
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 20121207-2
+- Mass rebuild 2013-12-27
+
 * Tue Dec 11 2012 Ville Skyttä <ville.skytta@iki.fi> - 20121207-1
 - Update to 20121207.
 
@@ -150,7 +160,7 @@ make test
 * Thu Jun 15 2006 Ville Skyttä <ville.skytta@iki.fi> - 20060614-1
 - 20060614, specfile cleanups, include examples in docs.
 
-* Fri Apr  7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
+* Fri Apr  8 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
 - rebuilt
 
 * Thu Dec 16 2004 Ville Skyttä <ville.skytta@iki.fi> - 0:20031021-1