[perl-Data-FormValidator] add patch to resolve CVE-2011-2201

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



commit d91b0ad89c375422f9537f21a5d00babb1f8f9bb
Author: Iain Arnell <iarnell@xxxxxxxxx>
Date:   Sun Aug 28 08:30:06 2011 +0200

    add patch to resolve CVE-2011-2201

 cve-2011-2201.patch          |   38 ++++++++++++++++++++++++++++++++++++++
 perl-Data-FormValidator.spec |    9 ++++++++-
 2 files changed, 46 insertions(+), 1 deletions(-)
---
diff --git a/cve-2011-2201.patch b/cve-2011-2201.patch
new file mode 100644
index 0000000..3432266
--- /dev/null
+++ b/cve-2011-2201.patch
@@ -0,0 +1,38 @@
+diff -up Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm.orig Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm
+--- Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm.orig	2010-02-24 15:31:03.000000000 +0100
++++ Data-FormValidator-4.66/lib/Data/FormValidator/Results.pm	2011-08-28 08:26:22.000000000 +0200
+@@ -807,7 +807,7 @@ sub _create_sub_from_RE {
+             # With methods, the value is the second argument
+             my $val = $force_method_p ? $_[1] : $_[0];
+             my ($match) = scalar ($val =~ $re);
+-            if ($untaint_this && defined $match) {
++            if ($untaint_this && $match) {
+                 # pass the value through a RE that matches anything to untaint it.
+                 my ($untainted) = ($&  =~ m/(.*)/s);
+                 return $untainted;
+diff -up Data-FormValidator-4.66/t/untaint_match_check.t.orig Data-FormValidator-4.66/t/untaint_match_check.t
+--- Data-FormValidator-4.66/t/untaint_match_check.t.orig	2011-08-28 08:26:54.000000000 +0200
++++ Data-FormValidator-4.66/t/untaint_match_check.t	2011-08-28 08:26:30.000000000 +0200
+@@ -0,0 +1,22 @@
++use strict;
++use warnings;
++
++use Test::More tests => 3;
++
++use Data::FormValidator;
++
++"unrelated match" =~ /match/;
++
++my $result = Data::FormValidator->check(
++    { a => 'invalid value' },    # input data
++    {                            # validation profile
++        untaint_all_constraints => 1,
++        optional                => ['a'],
++        constraints             => { a => qr/never matches/, },
++    },
++);
++
++ok( not $result->success )
++    or diag( 'Valid: ', $result->valid );
++ok( $result->has_invalid );
++is_deeply( scalar($result->invalid), { 'a' => [ qr/never matches/ ] } );
diff --git a/perl-Data-FormValidator.spec b/perl-Data-FormValidator.spec
index 445e5e5..99a7f08 100644
--- a/perl-Data-FormValidator.spec
+++ b/perl-Data-FormValidator.spec
@@ -1,11 +1,14 @@
 Name:           perl-Data-FormValidator
 Version:        4.66
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Validates user input (usually from an HTML form) based on input profile
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/Data-FormValidator/
 Source0:        http://www.cpan.org/authors/id/M/MA/MARKSTOS/Data-FormValidator-%{version}.tar.gz
+# see https://bugzilla.redhat.com/show_bug.cgi?id=712694
+# and https://rt.cpan.org/Public/Bug/Display.html?id=61792
+Patch0:         cve-2011-2201.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch:      noarch
 BuildRequires:  perl >= 0:5.008
@@ -35,6 +38,7 @@ simple format.
 
 %prep
 %setup -q -n Data-FormValidator-%{version}
+%patch0 -p1
 
 %build
 %{__perl} Build.PL installdirs=vendor
@@ -61,6 +65,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man3/*
 
 %changelog
+* Sun Aug 28 2011 Iain Arnell <iarnell@xxxxxxxxx> 4.66-6
+- add patch to resolve CVE-2011-2201
+
 * Wed Jul 20 2011 Petr Sabata <contyk@xxxxxxxxxx> - 4.66-5
 - Perl mass rebuild
 
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel


[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Fedora PHP Devel]     [Kernel Devel]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite Information]
  Powered by Linux