rpms
/
perl-CPAN
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

2.16 bump

This commit is contained in:
Petr Písař 2017-02-15 11:07:30 +01:00
parent fcb1885c4f
commit be3831d860
12 changed files with 15 additions and 462 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
/CPAN-2.05.tar.gz
/CPAN-2.10.tar.gz
/CPAN-2.14.tar.gz
/CPAN-2.16.tar.gz

56
CPAN-2.14-Bugfix-47934-version-requirement-with-was-ignored.patch
View File

@ -1,56 +0,0 @@
From 20cdb1ffd8ac90e1ea41949d887b7bf27d855317 Mon Sep 17 00:00:00 2001
From: Andreas Koenig <andk@cpan.org>
Date: Sat, 27 Aug 2016 17:45:46 +0200
Subject: [PATCH] Bugfix #47934: version requirement with "==" was ignored
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- reason was that uptodateness was checked earlier and considered sufficient
- adding a check where the uptodateness check appears
- resolving with a warning that continues, we cannot downgrade anyway
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
lib/CPAN/Distribution.pm | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/lib/CPAN/Distribution.pm b/lib/CPAN/Distribution.pm
index ac62b65..fa9300d 100644
--- a/lib/CPAN/Distribution.pm
+++ b/lib/CPAN/Distribution.pm
@@ -2838,9 +2838,21 @@ sub unsat_prereq {
$CPAN::SQLite->search("CPAN::Module",$need_module);
}
$nmo = $CPAN::META->instance("CPAN::Module",$need_module);
- next if $nmo->uptodate;
$inst_file = $nmo->inst_file || '';
$available_file = $nmo->available_file || '';
+ $available_version = $nmo->available_version;
+ if ($nmo->uptodate) {
+ my $accepts = $merged->accepts_module($need_module, $available_version);
+ unless ($accepts) {
+ my $rq = $merged->requirements_for_module( $need_module );
+ $CPAN::Frontend->mywarn(
+ "Warning: Version '$available_version' of ".
+ "'$need_module' is up to date but does not ".
+ "fulfill requirements ($rq). I will continue, ".
+ "but chances to succeed are low.\n");
+ }
+ next NEED;
+ }
# if they have not specified a version, we accept any installed one
if ( $available_file
@@ -2853,8 +2865,6 @@ sub unsat_prereq {
next NEED;
}
}
-
- $available_version = $nmo->available_version;
}
# We only want to install prereqs if either they're not installed
--
2.7.4

82
CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch
View File

@ -1,82 +0,0 @@
From 394ac06dc5e9e94a81c39c43135d1635f516422e Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 27 Jul 2016 12:14:13 +1000
Subject: [PATCH] CVE-2016-1238: don't load optional modules from default .
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
App::Cpan attempts to load several optional modules, which an attacker
can use if cpan is run from a directory writable by other users, such
as /tmp.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
lib/App/Cpan.pm | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
index f43dea9..c654c2c 100644
--- a/lib/App/Cpan.pm
+++ b/lib/App/Cpan.pm
@@ -549,9 +549,20 @@ sub AUTOLOAD { 1 }
sub DESTROY { 1 }
}
+# load a module without searching the default entry for the current
+# directory
+sub _safe_load_module {
+ my $name = shift;
+
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
+
+ eval "require $name; 1";
+}
+
sub _init_logger
{
- my $log4perl_loaded = eval "require Log::Log4perl; 1";
+ my $log4perl_loaded = _safe_load_module("Log::Log4perl");
unless( $log4perl_loaded )
{
@@ -1020,7 +1031,7 @@ sub _load_local_lib # -I
{
$logger->debug( "Loading local::lib" );
- my $rc = eval { require local::lib; 1; };
+ my $rc = _safe_load_module("local::lib");
unless( $rc ) {
$logger->die( "Could not load local::lib" );
}
@@ -1160,7 +1171,7 @@ sub _get_file
{
my $path = shift;
- my $loaded = eval "require LWP::Simple; 1;";
+ my $loaded = _safe_load_module("LWP::Simple");
croak "You need LWP::Simple to use features that fetch files from CPAN\n"
unless $loaded;
@@ -1182,7 +1193,7 @@ sub _gitify
{
my $args = shift;
- my $loaded = eval "require Archive::Extract; 1;";
+ my $loaded = _safe_load_module("Archive::Extract");
croak "You need Archive::Extract to use features that gitify distributions\n"
unless $loaded;
@@ -1245,7 +1256,7 @@ sub _show_Changes
sub _get_changes_file
{
croak "Reading Changes files requires LWP::Simple and URI\n"
- unless eval "require LWP::Simple; require URI; 1";
+ unless _safe_load_module("LWP::Simple") && _safe_load_module("URI");
my $url = shift;
--
2.7.4

32
CPAN-2.14-Emergency-fix-for-bug-https-rt.cpan.org-Ticket-Displ.patch
View File

@ -1,32 +0,0 @@
From 5c3f9935b2ac05fcd41b4c933fa05f326903484c Mon Sep 17 00:00:00 2001
From: Andreas Koenig <andk@cpan.org>
Date: Fri, 8 Jul 2016 21:25:53 +0200
Subject: [PATCH] Emergency fix for bug
https://rt.cpan.org/Ticket/Display.html?id=115734
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
lib/App/Cpan.pm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
index 59642ed..d770bf5 100644
--- a/lib/App/Cpan.pm
+++ b/lib/App/Cpan.pm
@@ -1480,7 +1480,9 @@ sub _expand_module
{
my( $module ) = @_;
- my $expanded = CPAN::Shell->expand( "Module", $module );
+ my $expanded = CPAN::Shell->expandany( $module );
+ return $expanded if $expanded;
+ $expanded = CPAN::Shell->expand( "Module", $module );
unless( defined $expanded ) {
$logger->error( "Could not expand [$module]. Check the module name." );
my $threshold = (
--
2.7.4

31
CPAN-2.14-Emergency-fix-for-cpan-o.patch
View File

@ -1,31 +0,0 @@
From cbf4929aeba4b5c8fa4b6151655d5206b54e758e Mon Sep 17 00:00:00 2001
From: Andreas Koenig <andk@cpan.org>
Date: Fri, 8 Jul 2016 21:37:54 +0200
Subject: [PATCH] Emergency fix for bug
https://rt.cpan.org/Ticket/Display.html?id=115786
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
lib/App/Cpan.pm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
index d770bf5..268c49d 100644
--- a/lib/App/Cpan.pm
+++ b/lib/App/Cpan.pm
@@ -1336,7 +1336,8 @@ sub _show_out_of_date
foreach my $module ( @$modules )
{
- next unless $module->inst_file;
+ next unless $module = _expand_module($module);
+ next unless $module->inst_file;
next if $module->uptodate;
printf "%-40s %.4f %.4f\n",
$module->id,
--
2.7.4

63
CPAN-2.14-Fix-CVE-2016-1238-completely.patch
View File

@ -1,63 +0,0 @@
From 705b9f68906d584e2d0bf9c2fd634778f1ba9b35 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 18 Oct 2016 14:35:09 +0200
Subject: [PATCH] Fix CVE-2016-1238 completely
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
These are remains ported from perl-v5.24.1-RC4 commit:
commit 5f66e9fffdc3d0c6e0846cd1f11298e70c786c30
Author: Tony Cook <tony@develop-help.com>
Date: Tue Jun 21 10:02:02 2016 +1000
(perl #127834) remove . from the end of @INC if complex modules are loaded
While currently Encode and Storable are know to attempt to load modules
not included in the core, updates to other modules may lead to those
also attempting to load new modules, so be safe and remove . for those
as well.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
lib/CPAN.pm | 4 ++++
scripts/cpan | 1 +
2 files changed, 5 insertions(+)
diff --git a/lib/CPAN.pm b/lib/CPAN.pm
index 69cc7b8..ae66eaf 100644
--- a/lib/CPAN.pm
+++ b/lib/CPAN.pm
@@ -1128,6 +1128,8 @@ sub has_usable {
]
};
if ($usable->{$mod}) {
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
for my $c (0..$#{$usable->{$mod}}) {
my $code = $usable->{$mod}[$c];
my $ret = eval { &$code() };
@@ -1170,6 +1172,8 @@ sub has_inst {
$CPAN::META->{dontload_hash}{$mod}||=1; # unsafe meta access, ok
return 0;
}
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
my $file = $mod;
my $obj;
$file =~ s|::|/|g;
diff --git a/scripts/cpan b/scripts/cpan
index 5555090..cceab30 100644
--- a/scripts/cpan
+++ b/scripts/cpan
@@ -1,5 +1,6 @@
#!/usr/local/bin/perl
+BEGIN { pop @INC if $INC[-1] eq '.' }
use strict;
use vars qw($VERSION);
--
2.7.4

40
CPAN-2.14-Prevent-trying-Net-FTP-when-an-ftp_proxy-variable-is.patch
View File

@ -1,40 +0,0 @@
From e8fd8b3f0fbd20e82ae04035178ce84fcf7cd0f1 Mon Sep 17 00:00:00 2001
From: Andreas Koenig <andk@cpan.org>
Date: Sat, 9 Jul 2016 03:04:25 +0200
Subject: [PATCH] Prevent trying Net::FTP when an ftp_proxy variable is set to
an http proxy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- reported in https://rt.cpan.org/Ticket/Display.html?id=110833
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
lib/CPAN.pm | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/lib/CPAN.pm b/lib/CPAN.pm
index ab2d00f..6e460a8 100644
--- a/lib/CPAN.pm
+++ b/lib/CPAN.pm
@@ -1064,6 +1064,16 @@ sub has_usable {
},
],
'Net::FTP' => [
+ sub {
+ my $var = $CPAN::Config->{ftp_proxy} || $ENV{ftp_proxy};
+ if ($var and $var =~ /^http:/) {
+ # rt #110833
+ for ("Net::FTP cannot handle http proxy") {
+ $CPAN::Frontend->mywarn($_);
+ die $_;
+ }
+ }
+ },
sub {require Net::FTP},
sub {require Net::Config},
],
--
2.7.4

45
CPAN-2.14-URL-schemes-are-case-tolerant-so-the-regexp-should-h.patch
View File

@ -1,45 +0,0 @@
From 5e0110a0e9a019b5acd107bf4b3593e95cf9cfb8 Mon Sep 17 00:00:00 2001
From: Andreas Koenig <andk@cpan.org>
Date: Sun, 10 Jul 2016 12:30:48 +0200
Subject: [PATCH] URL schemes are case-tolerant, so the regexp should have /i
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- thanks for the hint from Father C.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
lib/CPAN.pm | 2 +-
lib/CPAN/FTP.pm | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/CPAN.pm b/lib/CPAN.pm
index 6e460a8..fdb7869 100644
--- a/lib/CPAN.pm
+++ b/lib/CPAN.pm
@@ -1066,7 +1066,7 @@ sub has_usable {
'Net::FTP' => [
sub {
my $var = $CPAN::Config->{ftp_proxy} || $ENV{ftp_proxy};
- if ($var and $var =~ /^http:/) {
+ if ($var and $var =~ /^http:/i) {
# rt #110833
for ("Net::FTP cannot handle http proxy") {
$CPAN::Frontend->mywarn($_);
diff --git a/lib/CPAN/FTP.pm b/lib/CPAN/FTP.pm
index 0c338c5..03a51fb 100644
--- a/lib/CPAN/FTP.pm
+++ b/lib/CPAN/FTP.pm
@@ -665,7 +665,7 @@ sub hostdleasy { #called from hostdlxxx
# Net::FTP can still succeed where LWP fails. So we do not
# skip Net::FTP anymore when LWP is available.
}
- } elsif ($url =~ /^http:/ && $CPAN::META->has_usable('HTTP::Tiny')) {
+ } elsif ($url =~ /^http:/i && $CPAN::META->has_usable('HTTP::Tiny')) {
require CPAN::HTTP::Client;
my $chc = CPAN::HTTP::Client->new(
proxy => $CPAN::Config->{http_proxy} || $ENV{http_proxy},
--
2.7.4

35
CPAN-2.14-accepts_module-must-be-protected-with-an-eval.patch
View File

@ -1,35 +0,0 @@
From 0bae2227c75b922a1d7441bf7bee58d01afb1dc8 Mon Sep 17 00:00:00 2001
From: Andreas Koenig <andk@cpan.org>
Date: Mon, 29 Aug 2016 22:04:52 +0200
Subject: [PATCH] accepts_module must be protected with an eval
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- otherwise cannot tolerate version numbers like 2.08a
- could run into endless loop with "test Dancer::Plugin::SimpleCRUD"
which depended on HTML::Table 2.08a which was installed
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
lib/CPAN/Distribution.pm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/CPAN/Distribution.pm b/lib/CPAN/Distribution.pm
index fa9300d..ef85a3c 100644
--- a/lib/CPAN/Distribution.pm
+++ b/lib/CPAN/Distribution.pm
@@ -2842,7 +2842,9 @@ sub unsat_prereq {
$available_file = $nmo->available_file || '';
$available_version = $nmo->available_version;
if ($nmo->uptodate) {
- my $accepts = $merged->accepts_module($need_module, $available_version);
+ my $accepts = eval {
+ $merged->accepts_module($need_module, $available_version);
+ };
unless ($accepts) {
my $rq = $merged->requirements_for_module( $need_module );
$CPAN::Frontend->mywarn(
--
2.7.4

38
CPAN-2.14-logger-die-does-not-exist.patch
View File

@ -1,38 +0,0 @@
From f7fc39436aa91c783142fef58853abdb30a5d2bc Mon Sep 17 00:00:00 2001
From: Simon Legner <Simon.Legner@gmail.com>
Date: Tue, 11 Oct 2016 12:47:56 +0200
Subject: [PATCH] $logger->die does not exist
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
lib/App/Cpan.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/App/Cpan.pm b/lib/App/Cpan.pm
index c654c2c..742cbd2 100644
--- a/lib/App/Cpan.pm
+++ b/lib/App/Cpan.pm
@@ -1033,7 +1033,7 @@ sub _load_local_lib # -I
my $rc = _safe_load_module("local::lib");
unless( $rc ) {
- $logger->die( "Could not load local::lib" );
+ $logger->logdie( "Could not load local::lib" );
}
local::lib->import;
@@ -1045,7 +1045,7 @@ sub _use_these_mirrors # -M
{
$logger->debug( "Setting per session mirrors" );
unless( $_[0] ) {
- $logger->die( "The -M switch requires a comma-separated list of mirrors" );
+ $logger->logdie( "The -M switch requires a comma-separated list of mirrors" );
}
$CPAN::Config->{urllist} = [ split /,/, $_[0] ];
--
2.7.4

52
perl-CPAN.spec
View File

@ -1,6 +1,6 @@
Name: perl-CPAN
Version: 2.14
Release: 5%{?dist}
Version: 2.16
Release: 1%{?dist}
Summary: Query, download and build perl modules from CPAN sites
License: GPL+ or Artistic
Group: Development/Libraries
@ -10,31 +10,9 @@ Source0: http://www.cpan.org/authors/id/A/AN/ANDK/CPAN-%{version}.tar.gz
Patch0: CPAN-2.14-Attemp-to-create-site-library-directories-on-first-t.patch
# Change configuration directory name
Patch1: CPAN-2.14-Replace-configuration-directory-string-with-a-marke.patch
# Fix installation from a working directory, CPAN RT#115734, fixed after 2.14
Patch2: CPAN-2.14-Emergency-fix-for-bug-https-rt.cpan.org-Ticket-Displ.patch
# Fix "cpan -O" invocation, CPAN RT#115786, fixed after 2.14
Patch3: CPAN-2.14-Emergency-fix-for-cpan-o.patch
# Do not use Net::FTP if ftp_proxy variable points to an HTTP server,
# CPAN RT#110833, fixed after 2.14
Patch4: CPAN-2.14-Prevent-trying-Net-FTP-when-an-ftp_proxy-variable-is.patch
# Recognize URL schemata disregarding the case, fixed after 2.14
Patch5: CPAN-2.14-URL-schemes-are-case-tolerant-so-the-regexp-should-h.patch
# Fix CVE-2016-1238 (loading optional modules from current working directory),
# CPAN RT#116507, fixed after 2.14
Patch6: CPAN-2.14-CVE-2016-1238-don-t-load-optional-modules-from-defau.patch
# Recognize exact version dependency operator, CPAN RT#47934, fixed after 2.14
Patch7: CPAN-2.14-Bugfix-47934-version-requirement-with-was-ignored.patch
# Cope with non-digit version strings, fixed after 2.14
Patch8: CPAN-2.14-accepts_module-must-be-protected-with-an-eval.patch
# Fix CVE-2016-1238 completely, CPAN RT#116507
Patch9: CPAN-2.14-Fix-CVE-2016-1238-completely.patch
# Do not search cpan -j file in @INC, required for
# Fix-CVE-2016-1238-completely.patch, CPAN RT#116507, proposed in
# Do not search cpan -j file in @INC, CPAN RT#116507, proposed in
# <https://github.com/andk/cpanpm/pull/105>
Patch10: CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch
# Fix logging fatal errors, fixed after 2.14,
# <https://github.com/andk/cpanpm/pull/104>
Patch11: CPAN-2.14-logger-die-does-not-exist.patch
Patch2: CPAN-2.14-For-cpan-j-make-the-file-an-absolute-path.patch
BuildArch: noarch
BuildRequires: coreutils
BuildRequires: findutils
@ -50,14 +28,13 @@ BuildRequires: perl(vars)
BuildRequires: sed
# Optional:
BuildRequires: perl(File::Spec)
%if !%{defined perl_bootstrap}
BuildRequires: perl(YAML::Syck)
%endif
# YAML::Syck is not not used because @ST_PREFS is empty in Makefile.PL
# Run-time:
# Prefer Archive::Tar and Compress::Zlib over tar and gzip
BuildRequires: perl(Archive::Tar) >= 1.50
%if !%{defined perl_bootstrap}
# Prefer Archive::Zip over unzip
BuildRequires: perl(Archive::Zip)
%endif
BuildRequires: perl(autouse)
@ -169,8 +146,9 @@ Requires: perl(URI)
Requires: perl(URI::Escape)
%endif
Requires: perl(User::pwent)
# Optional but higly recommended:
# Optional but highly recommended:
%if !%{defined perl_bootstrap}
# Prefer Archive::Zip over unzip
Requires: perl(Archive::Zip)
Requires: perl(Compress::Bzip2)
Requires: perl(CPAN::Meta) >= 2.110350
@ -193,6 +171,8 @@ Requires: perl(Text::Glob)
# Text::Levenshtein::XS or Text::Levenshtein::Damerau::XS or Text::Levenshtein
# or Text::Levenshtein::Damerau::PP
Suggests: perl(Text::Levenshtein::Damerau::XS)
# YAML::Syck or YAML or Data::Dumper
Suggests: perl(YAML::Syck)
%endif
Provides: cpan = %{version}
@ -213,15 +193,6 @@ external download clients to fetch distributions from the net.
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
# Change configuration name
find -type f -exec sed -i -e 's/XCPANCONFIGNAMEX/cpan/g' {} \;
# Remove bundled modules
@ -248,6 +219,9 @@ make test
%{_mandir}/man3/*
%changelog
* Wed Feb 15 2017 Petr Pisar <ppisar@redhat.com> - 2.16-1
- 2.16 bump
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.14-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
7ee0c5f8db95c590818979397237aeda CPAN-2.14.tar.gz
SHA512 (CPAN-2.16.tar.gz) = 178f350d498643b692616d1190320451ffe4e7f184a47ec6080cd2760e69d05752a47de5861869648879b5e121a89f46455e3b7be6acde7833aec635492f578d