commit d91b0ad89c375422f9537f21a5d00babb1f8f9bb
Author: Iain Arnell <iarnell@xxxxxxxxx>
Date: Sun Aug 28 08:30:06 2011 +0200
add patch to resolve CVE-2011-2201
cve-2011-2201.patch | 38 ++++++++++++++++++++++++++++++++++++++
perl-Data-FormValidator.spec | 9 ++++++++-
2 files changed, 46 insertions(+), 1 deletions(-)
---
diff --git a/cve-2011-2201.patch b/cve-2011-2201.patch
new file mode 100644
index 0000000..3432266
--- /dev/null
+++ b/cve-2011-2201.patch
@@ -0,0 +1,38 @@
+diff -up Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm.orig Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm
+--- Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm.orig 2010-02-24 15:31:03.000000000 +0100
++++ Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm 2011-08-28 08:26:22.000000000 +0200
+@@ -807,7 +807,7 @@ sub _create_sub_from_RE {
+ # With methods, the value is the second argument
+ my $val = $force_method_p ? $_[1] : $_[0];
+ my ($match) = scalar ($val =~ $re);
+- if ($untaint_this && defined $match) {
++ if ($untaint_this && $match) {
+ # pass the value through a RE that matches anything to untaint it.
+ my ($untainted) = ($& =~ m/(.*)/s);
+ return $untainted;
+diff -up Data-FormValidator-4.66/t/untaint_match_check.t.orig Data-FormValidator-4.66/t/untaint_match_check.t
+--- Data-FormValidator-4.66/t/untaint_match_check.t.orig 2011-08-28 08:26:54.000000000 +0200
++++ Data-FormValidator-4.66/t/untaint_match_check.t 2011-08-28 08:26:30.000000000 +0200
+@@ -0,0 +1,22 @@
++use strict;
++use warnings;
++
++use Test::More tests => 3;
++
++use Data::FormValidator;
++
++"unrelated match" =~ /match/;
++
++my $result = Data::FormValidator->check(
++ { a => 'invalid value' }, # input data
++ { # validation profile
++ untaint_all_constraints => 1,
++ optional => ['a'],
++ constraints => { a => qr/never matches/, },
++ },
++);
++
++ok( not $result->success )
++ or diag( 'Valid: ', $result->valid );
++ok( $result->has_invalid );
++is_deeply( scalar($result->invalid), { 'a' => [ qr/never matches/ ] } );
diff --git a/perl-Data-FormValidator.spec b/perl-Data-FormValidator.spec
index 445e5e5..99a7f08 100644
--- a/perl-Data-FormValidator.spec
+++ b/perl-Data-FormValidator.spec
@@ -1,11 +1,14 @@
Name: perl-Data-FormValidator
Version: 4.66
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: Validates user input (usually from an HTML form) based on input profile
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/Data-FormValidator/
Source0: http://www.cpan.org/authors/id/M/MA/MARKSTOS/Data-FormValidator-%{version}.tar.gz
+# see https://bugzilla.redhat.com/show_bug.cgi?id=712694
+# and https://rt.cpan.org/Public/Bug/Display.html?id=61792
+Patch0: cve-2011-2201.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
BuildRequires: perl >= 0:5.008
@@ -35,6 +38,7 @@ simple format.
%prep
%setup -q -n Data-FormValidator-%{version}
+%patch0 -p1
%build
%{__perl} Build.PL installdirs=vendor
@@ -61,6 +65,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man3/*
%changelog
+* Sun Aug 28 2011 Iain Arnell <iarnell@xxxxxxxxx> 4.66-6
+- add patch to resolve CVE-2011-2201
+
* Wed Jul 20 2011 Petr Sabata <contyk@xxxxxxxxxx> - 4.66-5
- Perl mass rebuild
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
