[perltidy/el5] Fix insecure temporary file creation (CVE-2014-2277)

Paul Howarth <pghmcfc@xxxxxxxxxxxxxxxxx> · Fri, 21 Nov 2014 16:17:51 +0000 (UTC)

commit 015684363a044928b0931362aa2f00d44cd45a08
Author: Paul Howarth <paul@xxxxxxxxxxxx>
Date:   Fri Nov 21 16:17:02 2014 +0000

    Fix insecure temporary file creation (CVE-2014-2277)
    
    - Fix insecure temporary file creation (CVE-2014-2277)
      (patch based on the debian patch, plus corresponding manpage update from
      Fedora)
    - Re-code CHANGES file as UTF-8

 Perl-Tidy-20070801-CVE-2014-2277.patch |   82 ++++++++++++++++++++++++++++++++
 Perl-Tidy-20070801-utf8.patch          |   30 ++++++++++++
 perltidy.spec                          |   20 +++++++-
 3 files changed, 129 insertions(+), 3 deletions(-)
---

diff --git a/Perl-Tidy-20070801-CVE-2014-2277.patch b/Perl-Tidy-20070801-CVE-2014-2277.patch
new file mode 100644
index 0000000..512b1cb
--- /dev/null
+++ b/Perl-Tidy-20070801-CVE-2014-2277.patch
@@ -0,0 +1,82 @@
+--- bin/perltidy
++++ bin/perltidy
+@@ -2632,9 +2632,8 @@ in any way.  And, of course, it does not
+ =item Temporary files
+ 
+ Under the -html option with the default --pod2html flag, a temporary file is
+-required to pass text to Pod::Html.  Unix systems will try to use the POSIX
+-tmpnam() function.  Otherwise the file F<perltidy.TMP> will be temporarily
+-created in the current working directory.
++required to pass text to Pod::Html.  The temporary file is created using
++File::Temp::tempfile().
+ 
+ =item Special files when standard input is used
+ 
+--- lib/Perl/Tidy.pm
++++ lib/Perl/Tidy.pm
+@@ -63,6 +63,7 @@ use vars qw{
+ 
+ use IO::File;
+ use File::Basename;
++use File::Temp qw(tempfile);
+ 
+ BEGIN {
+     ( $VERSION = q($Id: Tidy.pm,v 1.68 2007/08/01 16:22:38 perltidy Exp $) ) =~ s/^.*\s+(\d+)\/(\d+)\/(\d+).*$/$1$2$3/; # all one line for MakeMaker
+@@ -222,39 +223,6 @@ sub catfile {
+     return undef;
+ }
+ 
+-sub make_temporary_filename {
+-
+-    # Make a temporary filename.
+-    #
+-    # The POSIX tmpnam() function tends to be unreliable for non-unix
+-    # systems (at least for the win32 systems that I've tested), so use
+-    # a pre-defined name.  A slight disadvantage of this is that two
+-    # perltidy runs in the same working directory may conflict.
+-    # However, the chance of that is small and managable by the user.
+-    # An alternative would be to check for the file's existance and use,
+-    # say .TMP0, .TMP1, etc, but that scheme has its own problems.  So,
+-    # keep it simple.
+-    my $name = "perltidy.TMP";
+-    if ( $^O =~ /win32|dos/i || $^O eq 'VMS' || $^O eq 'MacOs' ) {
+-        return $name;
+-    }
+-    eval "use POSIX qw(tmpnam)";
+-    if ($@) { return $name }
+-    use IO::File;
+-
+-    # just make a couple of tries before giving up and using the default
+-    for ( 0 .. 1 ) {
+-        my $tmpname = tmpnam();
+-        my $fh = IO::File->new( $tmpname, O_RDWR | O_CREAT | O_EXCL );
+-        if ($fh) {
+-            $fh->close();
+-            return ($tmpname);
+-            last;
+-        }
+-    }
+-    return ($name);
+-}
+-
+ # Here is a map of the flow of data from the input source to the output
+ # line sink:
+ #
+@@ -4615,16 +4583,7 @@ sub pod_to_html {
+     }
+ 
+     # Pod::Html requires a real temporary filename
+-    # If we are making a frame, we have a name available
+-    # Otherwise, we have to fine one
+-    my $tmpfile;
+-    if ( $rOpts->{'frames'} ) {
+-        $tmpfile = $self->{_toc_filename};
+-    }
+-    else {
+-        $tmpfile = Perl::Tidy::make_temporary_filename();
+-    }
+-    my $fh_tmp = IO::File->new( $tmpfile, 'w' );
++    my ($fh_tmp,$tmpfile) = tempfile();
+     unless ($fh_tmp) {
+         warn "unable to open temporary file $tmpfile; cannot use pod2html\n";
+         return $success_flag;
diff --git a/Perl-Tidy-20070801-utf8.patch b/Perl-Tidy-20070801-utf8.patch
new file mode 100644
index 0000000..362dfc8
--- /dev/null
+++ b/Perl-Tidy-20070801-utf8.patch
@@ -0,0 +1,30 @@
+--- CHANGES
++++ CHANGES
+@@ -470,8 +470,8 @@ Perltidy Change Log
+ 
+      -improved breakpoint choices involving '->'
+ 
+-     -Corrected tokenization of things like ${#} or ${�}. For example,
+-      ${�} is valid, but ${� } is a syntax error.
++     -Corrected tokenization of things like ${#} or ${©}. For example,
++      ${©} is valid, but ${© } is a syntax error.
+ 
+      -Corrected minor tokenization errors with indirect object notation.
+       For example, 'new A::()' works now.
+@@ -644,14 +644,14 @@ Perltidy Change Log
+       closing side comments (-csc) could have incorrect text.  This is
+       annoying but will be correct the next time perltidy is run with -csc.
+ 
+-     -Implemented XHTML patch submitted by Ville Skytt�++     -Implemented XHTML patch submitted by Ville Skyttä.
+ 
+      -Fixed bug where whitespace was being removed between 'Bar' and '()' 
+       in a use statement like:
+ 
+            use Foo::Bar ();
+ 
+-      Thanks to Ville Skytt�or reporting this.
++      Thanks to Ville Skyttä for reporting this.
+ 
+      -Whenever possible, if a logical expression is broken with leading
+       '&&', '||', 'and', or 'or', then the leading line will be padded
diff --git a/perltidy.spec b/perltidy.spec
index a350d03..b83b22e 100644
--- a/perltidy.spec
+++ b/perltidy.spec
@@ -1,12 +1,14 @@
 Name:           perltidy
 Version:        20070801
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Tool for indenting and reformatting Perl scripts
 
 Group:          Development/Tools
 License:        GPLv2+
 URL:            http://perltidy.sourceforge.net/
-Source:         http://downloads.sourceforge.net/perltidy/Perl-Tidy-%{version}.tar.gz
+Source0:        http://downloads.sourceforge.net/perltidy/Perl-Tidy-%{version}.tar.gz
+Patch0:         Perl-Tidy-20070801-CVE-2014-2277.patch
+Patch1:         Perl-Tidy-20070801-utf8.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildArch:      noarch
@@ -30,6 +32,13 @@ brackets because it is very good at localizing errors.
 %setup -q -n Perl-Tidy-%{version}
 rm -f docs/perltidy.1 examples/pt.bat
 
+# Fix insecure temporary file creation (CVE-2014-2277)
+# (patch based on the debian patch, plus corresponding manpage update from Fedora)
+%patch0
+
+# Re-code CHANGES file as UTF-8
+%patch1
+
 
 %build
 %{__perl} Makefile.PL INSTALLDIRS=vendor
@@ -62,6 +71,11 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Fri Nov 21 2014 Paul Howarth <paul@xxxxxxxxxxxx> - 20070801-2
+- Fix insecure temporary file creation (CVE-2014-2277)
+  (patch based on the debian patch, plus corresponding manpage update from Fedora)
+- Re-code CHANGES file as UTF-8
+
 * Wed Aug  1 2007 Ville Skyttä <ville.skytta at iki.fi> - 20070801-1
 - 20070801.
 
@@ -87,7 +101,7 @@ rm -rf $RPM_BUILD_ROOT
 * Thu Jun 15 2006 Ville Skyttä <ville.skytta at iki.fi> - 20060614-1
 - 20060614, specfile cleanups, include examples in docs.
 
-* Fri Apr  7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
+* Wed Apr  6 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
 - rebuilt
 
 * Thu Dec 16 2004 Ville Skyttä <ville.skytta at iki.fi> - 0:20031021-1
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel



