commit 55d8c0d4e2e1afa9e47a30ccb8cfb39b031f352e Author: Petr Písař <ppisar@xxxxxxxxxx> Date: Mon Dec 1 16:14:00 2014 +0100 Use stronger algorithm needed for FIPS in t/op/taint.t ...t-Perform-SHA-256-algorithm-by-crypt-if-d.patch | 47 ++++++++++++++++++++ perl.spec | 7 +++ 2 files changed, 54 insertions(+), 0 deletions(-) --- diff --git a/perl-5.21.6-t-op-taint.t-Perform-SHA-256-algorithm-by-crypt-if-d.patch b/perl-5.21.6-t-op-taint.t-Perform-SHA-256-algorithm-by-crypt-if-d.patch new file mode 100644 index 0000000..4a4fca1 --- /dev/null +++ b/perl-5.21.6-t-op-taint.t-Perform-SHA-256-algorithm-by-crypt-if-d.patch @@ -0,0 +1,47 @@ +From 0a370b8f77bd4b1be3f776257869e5c85eb9e8e2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@xxxxxxxxxx> +Date: Mon, 1 Dec 2014 15:28:36 +0100 +Subject: [PATCH] t/op/taint.t: Perform SHA-256 algorithm by crypt() if default + one is disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The crypt(3) call may return NULL. This is the case on FIPS-enabled +platforms. Then "tainted crypt" test would fail. + +See RT#121591 for similar fix in t/op/crypt.t. + +Signed-off-by: Petr Písař <ppisar@xxxxxxxxxx> +--- + t/op/taint.t | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/t/op/taint.t b/t/op/taint.t +index f9e8331..a13fde4 100644 +--- a/t/op/taint.t ++++ b/t/op/taint.t +@@ -1967,7 +1967,19 @@ foreach my $ord (78, 163, 256) { + SKIP: { + skip 'No crypt function, skipping crypt tests', 4 if(!$Config{d_crypt}); + # 59998 +- sub cr { my $x = crypt($_[0], $_[1]); $x } ++ sub cr { ++ # On platforms implementing FIPS mode, using a weak algorithm ++ # (including the default triple-DES algorithm) causes crypt(3) to ++ # return a null pointer, which Perl converts into undef. We assume ++ # for now that all such platforms support glibc-style selection of ++ # a different hashing algorithm. ++ my $alg = ''; # Use default algorithm ++ if ( !defined(crypt("ab", "cd")) ) { ++ $alg = '$5$'; # Use SHA-256 ++ } ++ my $x = crypt($_[0], $alg . $_[1]); ++ $x ++ } + sub co { my $x = ~$_[0]; $x } + my ($a, $b); + $a = cr('hello', 'foo' . $TAINT); +-- +1.9.3 + diff --git a/perl.spec b/perl.spec index ac51a12..b886938 100644 --- a/perl.spec +++ b/perl.spec @@ -97,6 +97,10 @@ Patch26: perl-5.18.2-Destroy-GDBM-NDBM-ODBM-SDBM-_File-objects-only-from- # in upstream after 5.21.6 Patch27: perl-5.21.6-Report-inaccesible-file-on-failed-require.patch +# Use stronger algorithm needed for FIPS in t/op/taint.t, bug #1128032, +# RT#123338 +Patch28: perl-5.21.6-t-op-taint.t-Perform-SHA-256-algorithm-by-crypt-if-d.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -1977,6 +1981,7 @@ tarball from perl.org. %patch25 -p1 %patch26 -p1 %patch27 -p1 +%patch28 -p1 %patch200 -p1 %patch201 -p1 @@ -1997,6 +2002,7 @@ perl -x patchlevel.h \ 'Fedora Patch25: Use stronger algorithm needed for FIPS in t/op/crypt.t (RT#121591)' \ 'Fedora Patch26: Make *DBM_File desctructors thread-safe (RT#61912)' \ 'Fedora Patch27: Report inaccesible file on failed require (RT#123270)' \ + 'Fedora Patch28: Use stronger algorithm needed for FIPS in t/op/taint.t (RT#123338)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -3789,6 +3795,7 @@ sed \ %changelog * Mon Dec 01 2014 Petr Pisar <ppisar@xxxxxxxxxx> - 4:5.20.1-315 - Report inaccesible file on failed require (bug #1166504) +- Use stronger algorithm needed for FIPS in t/op/taint.t (bug #1128032) * Wed Nov 19 2014 Petr Pisar <ppisar@xxxxxxxxxx> - 4:5.20.1-314 - Consider Filter::Util::Call dependency as mandatory (bug #1165183) -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel