commit 3834dd7566f4f999906a98d81cfd1d1de7145fd6 Author: Petr Písař <ppisar@xxxxxxxxxx> Date: Thu Apr 25 11:11:00 2013 +0200 Open configuration file for reading explicitly ...-0.06-Open-configuration-file-for-reading.patch | 30 ++++++++++++++++++++ perl-Log-Message.spec | 8 ++++- 2 files changed, 37 insertions(+), 1 deletions(-) --- diff --git a/Log-Message-0.06-Open-configuration-file-for-reading.patch b/Log-Message-0.06-Open-configuration-file-for-reading.patch new file mode 100644 index 0000000..58481c1 --- /dev/null +++ b/Log-Message-0.06-Open-configuration-file-for-reading.patch @@ -0,0 +1,30 @@ +From 66f18d5a6a6a17f574505b280ca8acc6a21f6451 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@xxxxxxxxxx> +Date: Thu, 25 Apr 2013 10:51:00 +0200 +Subject: [PATCH] Open configuration file for reading + +This patch opens configuration file for reading only, allows to +use file which names starts with special character, like '<', and +prevents from opening malicious file like '>/etc/passwd'. + +Thanks to Florian Weimer for spotting it. +--- + lib/Log/Message/Config.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/Log/Message/Config.pm b/lib/Log/Message/Config.pm +index e326e40..5bd115e 100644 +--- a/lib/Log/Message/Config.pm ++++ b/lib/Log/Message/Config.pm +@@ -70,7 +70,7 @@ sub _read_config_file { + + my $conf = {}; + my $FH = new FileHandle; +- $FH->open("$file") or ( ++ $FH->open("$file", 'r') or ( + warn(loc(q[Could not open config file '%1': %2],$file,$!)), + return {} + ); +-- +1.8.1.4 + diff --git a/perl-Log-Message.spec b/perl-Log-Message.spec index a073eda..ff4ee94 100644 --- a/perl-Log-Message.spec +++ b/perl-Log-Message.spec @@ -2,12 +2,14 @@ Name: perl-Log-Message # Epoch to compete with perl.spec Epoch: 1 Version: 0.06 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Generic message storing mechanism License: GPL+ or Artistic Group: Development/Libraries URL: http://search.cpan.org/dist/Log-Message/ Source0: http://www.cpan.org/authors/id/B/BI/BINGOS/Log-Message-%{version}.tar.gz +# Bug #955210, CPAN RT #84844 +Patch0: Log-Message-0.06-Open-configuration-file-for-reading.patch BuildArch: noarch BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(strict) @@ -41,6 +43,7 @@ your own handlers for dealing with messages. %prep %setup -q -n Log-Message-%{version} +%patch0 -p1 %build perl Makefile.PL INSTALLDIRS=vendor @@ -60,6 +63,9 @@ make test %{_mandir}/man3/* %changelog +* Thu Apr 25 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 1:0.06-2 +- Open configuration file for reading explicitly (bug #955210) + * Thu Jan 24 2013 Petr Pisar <ppisar@xxxxxxxxxx> 1:0.06-1 - Specfile autogenerated by cpanspec 1.78. - Require deprecated module if needed -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel