commit 2d5a8241a0aed1cdb555ce36c232178235c93104 Author: Paul Howarth <paul@xxxxxxxxxxxx> Date: Thu Mar 29 18:56:28 2012 +0100 Clean up and add patch for CVE-2012-1152 (CPAN RT#46507) - Fix various format string vulnerabilities (CVE-2012-1152, CPAN RT#46507) - De-duplicate buildreqs, with Module>Install>Tests priority - Install to vendor directories - Don't need to remove empty directories from buildroot - Don't use macros for commands - Make %files list more explicit - Tidy %description YAML-LibYAML-0.35-format-error.patch | 39 ++++++++++++++++++++ perl-YAML-LibYAML.spec | 67 ++++++++++++++++++++++------------ 2 files changed, 82 insertions(+), 24 deletions(-) --- diff --git a/YAML-LibYAML-0.35-format-error.patch b/YAML-LibYAML-0.35-format-error.patch new file mode 100644 index 0000000..2b25380 --- /dev/null +++ b/YAML-LibYAML-0.35-format-error.patch @@ -0,0 +1,39 @@ +diff -urbaN YAML-LibYAML-0.35-orig//LibYAML/perl_libyaml.c YAML-LibYAML-0.35/LibYAML/perl_libyaml.c +--- YAML-LibYAML-0.35-orig//LibYAML/perl_libyaml.c 2011-04-03 18:28:08.000000000 +0200 ++++ YAML-LibYAML-0.35/LibYAML/perl_libyaml.c 2011-04-08 09:25:49.633009787 +0200 +@@ -188,7 +188,7 @@ + return; + + load_error: +- croak(loader_error_msg(&loader, NULL)); ++ croak("%s", loader_error_msg(&loader, NULL)); + } + + /* +@@ -271,7 +271,7 @@ + return return_sv; + + load_error: +- croak(loader_error_msg(loader, NULL)); ++ croak("%s", loader_error_msg(loader, NULL)); + } + + /* +@@ -314,7 +314,7 @@ + else if (strlen(tag) <= strlen(prefix) || + ! strnEQ(tag, prefix, strlen(prefix)) + ) croak( +- loader_error_msg(loader, form("bad tag found for hash: '%s'", tag)) ++ "%s", loader_error_msg(loader, form("bad tag found for hash: '%s'", tag)) + ); + class = tag + strlen(prefix); + sv_bless(hash_ref, gv_stashpv(class, TRUE)); +@@ -347,7 +347,7 @@ + else if (strlen(tag) <= strlen(prefix) || + ! strnEQ(tag, prefix, strlen(prefix)) + ) croak( +- loader_error_msg(loader, form("bad tag found for array: '%s'", tag)) ++ "%s", loader_error_msg(loader, form("bad tag found for array: '%s'", tag)) + ); + class = tag + strlen(prefix); + sv_bless(array_ref, gv_stashpv(class, TRUE)); diff --git a/perl-YAML-LibYAML.spec b/perl-YAML-LibYAML.spec index 3f95210..12660d7 100644 --- a/perl-YAML-LibYAML.spec +++ b/perl-YAML-LibYAML.spec @@ -1,67 +1,86 @@ Name: perl-YAML-LibYAML Version: 0.38 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Perl YAML Serialization using XS and libyaml License: GPL+ or Artistic Group: Development/Libraries URL: http://search.cpan.org/dist/YAML-LibYAML/ Source0: http://search.cpan.org/CPAN/authors/id/I/IN/INGY/YAML-LibYAML-%{version}.tar.gz -BuildRequires: perl(B::Deparse) -BuildRequires: perl(base) -BuildRequires: perl(constant) +Patch0: YAML-LibYAML-0.35-format-error.patch + +# Install BuildRequires: perl(Cwd) -BuildRequires: perl(Exporter) BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(File::Find) BuildRequires: perl(File::Path) BuildRequires: perl(File::Spec) + +# Module +BuildRequires: perl >= 3:5.8.3 +BuildRequires: perl(B::Deparse) +BuildRequires: perl(base) +BuildRequires: perl(constant) +BuildRequires: perl(Exporter) +BuildRequires: perl(XSLoader) + +# Tests +BuildRequires: perl(Devel::Peek) +BuildRequires: perl(Scalar::Util) BuildRequires: perl(Test::Builder) BuildRequires: perl(Test::Builder::Module) BuildRequires: perl(Test::More) -# Tests only -BuildRequires: perl(Devel::Peek) -BuildRequires: perl(File::Path) -BuildRequires: perl(Scalar::Util) -BuildRequires: perl(Test::Base) -BuildRequires: perl(Test::Base::Filter) BuildRequires: perl(Tie::Array) BuildRequires: perl(Tie::Hash) -Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +# Runtime +Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version)) + +# Avoid provides for perl shared objects %{?perl_default_filter} %description -Kirill Siminov's "libyaml" is arguably the best YAML -implementation. The C library is written precisely to the YAML 1.1 -specification. It was originally bound to Python and was later -bound to Ruby. +Kirill Siminov's "libyaml" is arguably the best YAML implementation. The C +library is written precisely to the YAML 1.1 specification. It was originally +bound to Python and was later bound to Ruby. %prep %setup -q -n YAML-LibYAML-%{version} +# Fix format string vulnerabilities (CVE-2012-1152, CPAN RT#46507) +%patch0 -p1 + %build -%{__perl} Makefile.PL INSTALLDIRS=perl OPTIMIZE="%{optflags}" +perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}" make %{?_smp_mflags} %install make pure_install DESTDIR=%{buildroot} find %{buildroot} -type f -name .packlist -exec rm -f {} \; find %{buildroot} -type f -name '*.bs' -size 0 -exec rm -f {} \; -find %{buildroot} -depth -type d -exec rmdir {} 2>/dev/null \; -%{_fixperms} %{buildroot}/* +%{_fixperms} %{buildroot} %check make test %files %doc Changes README -%{perl_archlib}/auto/* -%{perl_archlib}/YAML* -%{_mandir}/man3/* +%{perl_vendorarch}/auto/YAML/ +%{perl_vendorarch}/YAML/ +%{_mandir}/man3/YAML::XS.3pm* +%{_mandir}/man3/YAML::XS::LibYAML.3pm* %changelog -* Fri Jan 13 2012 Marcela Mašláňová <mmaslano@xxxxxxxxxx> - 0.38-2 -- bump to 0.38 +* Thu Mar 29 2012 Paul Howarth <paul@xxxxxxxxxxxx> - 0.38-2 +- Fix various format string vulnerabilities (CVE-2012-1152, CPAN RT#46507) +- De-duplicate buildreqs, with Module>Install>Tests priority +- Install to vendor directories +- Don't need to remove empty directories from buildroot +- Don't use macros for commands +- Make %%files list more explicit +- Tidy %%description + +* Fri Jan 13 2012 Marcela Mašláňová <mmaslano@xxxxxxxxxx> - 0.38-1 +- Bump to 0.38 * Fri Sep 30 2011 Petr Sabata <contyk@xxxxxxxxxx> - 0.37-1 - 0.37 bump -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel