Upgrade to 3.32 as provided in perl-5.37.12

Storable-3.25-Upgrade-to-3.26.patch

@@ -1,62 +0,0 @@
-From f987887d23adbbc950435921d0585c005cb03258 Mon Sep 17 00:00:00 2001
-From: Jitka Plesnikova <jplesnik@redhat.com>
-Date: Thu, 12 May 2022 12:34:06 +0200
-Subject: [PATCH] Upgrade to 3.26
-
----
- Makefile.PL | 2 +-
- Storable.pm | 2 +-
- Storable.xs | 4 ++--
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/Makefile.PL b/Makefile.PL
-index e03e141..b705654 100644
---- a/Makefile.PL
-+++ b/Makefile.PL
-@@ -29,7 +29,7 @@ WriteMakefile(
-                 'ExtUtils::MakeMaker' => '6.31',
-             },
-             TEST_REQUIRES => {
--                'Test::More' => '0.41',
-+                'Test::More' => '0.82',
-             },
-            )
-         : () ),
-diff --git a/Storable.pm b/Storable.pm
-index 8e6ab25..ef417c6 100644
---- a/Storable.pm
-+++ b/Storable.pm
-@@ -28,7 +28,7 @@ our @EXPORT_OK = qw(
- our ($canonical, $forgive_me);
- 
- BEGIN {
--  our $VERSION = '3.25';
-+  our $VERSION = '3.26';
- }
- 
- our $recursion_limit;
-diff --git a/Storable.xs b/Storable.xs
-index 6944b76..53c838c 100644
---- a/Storable.xs
-+++ b/Storable.xs
-@@ -2187,7 +2187,7 @@ static AV *array_call(pTHX_
-     XPUSHs(sv_2mortal(newSViv(cloning)));	/* Cloning flag */
-     PUTBACK;
- 
--    count = call_sv(hook, G_ARRAY);	/* Go back to Perl code */
-+    count = call_sv(hook, G_LIST);	/* Go back to Perl code */
- 
-     SPAGAIN;
- 
-@@ -3318,7 +3318,7 @@ static int get_regexp(pTHX_ stcxt_t *cxt, SV* sv, SV **re, SV **flags) {
-     XPUSHs(rv);
-     PUTBACK;
-     /* optimize to call the XS directly later */
--    count = call_sv((SV*)cv, G_ARRAY);
-+    count = call_sv((SV*)cv, G_LIST);
-     SPAGAIN;
-     if (count < 2)
-       CROAK(("re::regexp_pattern returned only %d results", (int)count));
--- 
-2.34.3
-

Storable-3.25-Upgrade-to-3.32.patch

@@ -1,32 +1,127 @@
-From c898c00503adcf74e9d6b96c3c6feb2539a19664 Mon Sep 17 00:00:00 2001
+From 93b4cf22054a0e3f9f5d4ae8eaec85e8ca28944c Mon Sep 17 00:00:00 2001
 From: Jitka Plesnikova <jplesnik@redhat.com>
-Date: Thu, 18 May 2023 17:12:30 +0200
-Subject: [PATCH] Upgrade to 3.31
+Date: Mon, 12 Jun 2023 16:00:23 +0200
+Subject: [PATCH] Upgrade to 3.32
 
 ---
- Storable.pm |   2 +-
- Storable.xs | 107 ++++++++++++++++++++++++++++++++++++++++++----------
- t/blessed.t |  53 +++++++++++++++++++++++++-
- t/boolean.t |  84 +++++++++++++++++++++++++++++++++++++++++
+ ChangeLog   |  29 ++++++++++++++
+ Makefile.PL |   2 +-
+ Storable.pm |  30 ++++++++------
+ Storable.xs | 111 ++++++++++++++++++++++++++++++++++++++++++----------
+ t/blessed.t |  53 ++++++++++++++++++++++++-
+ t/boolean.t |  84 +++++++++++++++++++++++++++++++++++++++
  t/malice.t  |   6 +--
- 5 files changed, 228 insertions(+), 24 deletions(-)
+ 7 files changed, 278 insertions(+), 37 deletions(-)
  create mode 100644 t/boolean.t
 
+diff --git a/ChangeLog b/ChangeLog
+index b1f4790..6619543 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,32 @@
++2023-05-26 21:36:00 demerphq
++    version 3.32
++        * Update security advisory to be more clear
++
++2023-02-26 00:31:32 demerphq
++    version 3.31
++        * Fixup for ppport fix in 3.30
++
++2023-02-22 09:56:27 leont
++    version 3.30
++        * Use ppport for all modules in dist.
++
++2023-01-04 17:33:24 iabyn
++    version 3.29
++        * Store code fixes identified from refcounted stack patch
++
++2022-11-08 10:12:46 tony
++    version 3.28
++        * Store hook error reporting improvements
++	* Store hook handles regex objects properly.
++
++2022-06-20 20:32:29 toddr
++    version 3.27
++        * Use cBOOL instead of !! in xs code
++
++2022-04-18 17:36:00 toddr
++    version 3.26
++        * Conform to ppport.h 3.68 recommendations
++
+ 2021-08-30 07:46:52 nwclark
+     version 3.25
+         * No changes from previous version
+diff --git a/Makefile.PL b/Makefile.PL
+index e03e141..b705654 100644
+--- a/Makefile.PL
++++ b/Makefile.PL
+@@ -29,7 +29,7 @@ WriteMakefile(
+                 'ExtUtils::MakeMaker' => '6.31',
+             },
+             TEST_REQUIRES => {
+-                'Test::More' => '0.41',
++                'Test::More' => '0.82',
+             },
+            )
+         : () ),
 diff --git a/Storable.pm b/Storable.pm
-index ef417c6..32fd772 100644
+index 8e6ab25..d531f2b 100644
 --- a/Storable.pm
 +++ b/Storable.pm
 @@ -28,7 +28,7 @@ our @EXPORT_OK = qw(
  our ($canonical, $forgive_me);
  
  BEGIN {
--  our $VERSION = '3.26';
-+  our $VERSION = '3.31';
+-  our $VERSION = '3.25';
++  our $VERSION = '3.32';
  }
  
  our $recursion_limit;
+@@ -1197,11 +1197,16 @@ compartment:
+ 
+ =head1 SECURITY WARNING
+ 
+-B<Do not accept Storable documents from untrusted sources!>
++B<Do not accept Storable documents from untrusted sources!> There is
++B<no> way to configure Storable so that it can be used safely to process
++untrusted data.  While there I<are> various options that can be used to
++mitigate specific security issues these options do I<not> comprise a
++complete safety net for the user, and processing untrusted data may
++result in segmentation faults, remote code execution, or privilege
++escalation.  The following lists some known features which represent
++security issues that should be considered by users of this module.
+ 
+-Some features of Storable can lead to security vulnerabilities if you
+-accept Storable documents from untrusted sources with the default
+-flags. Most obviously, the optional (off by default) CODE reference
++Most obviously, the optional (off by default) CODE reference
+ serialization feature allows transfer of code to the deserializing
+ process. Furthermore, any serialized object will cause Storable to
+ helpfully load the module corresponding to the class of the object in
+@@ -1224,12 +1229,15 @@ With the default setting of C<$Storable::flags> = 6, creating or destroying
+ random objects, even renamed objects can be controlled by an attacker.
+ See CVE-2015-1592 and its metasploit module.
+ 
+-If your application requires accepting data from untrusted sources,
+-you are best off with a less powerful and more-likely safe
+-serialization format and implementation. If your data is sufficiently
+-simple, L<Cpanel::JSON::XS>, L<Data::MessagePack> or L<Sereal> are the best
+-choices and offer maximum interoperability, but note that Sereal is
+-L<unsafe by default|Sereal::Decoder/ROBUSTNESS>.
++If your application requires accepting data from untrusted sources, you
++are best off with a less powerful and more-likely safe serialization
++format and implementation.  If your data is sufficiently simple,
++L<Cpanel::JSON::XS> or L<Data::MessagePack> are fine alternatives.  For
++more complex data structures containing various Perl specific data types
++like regular expressions or aliased data L<Sereal> is the best
++alternative and offers maximum interoperability.  Note that Sereal is
++L<unsafe by default|Sereal::Decoder/ROBUSTNESS>, but you can configure
++the encoder and decoder to mitigate any security issues.
+ 
+ =head1 WARNING
+ 
 diff --git a/Storable.xs b/Storable.xs
-index 53c838c..a558dd7 100644
+index 6944b76..a558dd7 100644
 --- a/Storable.xs
 +++ b/Storable.xs
 @@ -16,18 +16,13 @@
@@ -101,6 +196,15 @@ index 53c838c..a558dd7 100644
      (sv_retrieve_t)retrieve_other,  	/* SX_LAST */
  };
  
+@@ -2187,7 +2190,7 @@ static AV *array_call(pTHX_
+     XPUSHs(sv_2mortal(newSViv(cloning)));	/* Cloning flag */
+     PUTBACK;
+ 
+-    count = call_sv(hook, G_ARRAY);	/* Go back to Perl code */
++    count = call_sv(hook, G_LIST);	/* Go back to Perl code */
+ 
+     SPAGAIN;
+ 
 @@ -2454,6 +2457,16 @@ static int store_scalar(pTHX_ stcxt_t *cxt, SV *sv)
              pv = SvPV(sv, len);		/* We know it's SvPOK */
              goto string;			/* Share code below */
@@ -126,6 +230,15 @@ index 53c838c..a558dd7 100644
      len = SvCUR(text);
      reallen = strlen(SvPV_nolen(text));
  
+@@ -3318,7 +3332,7 @@ static int get_regexp(pTHX_ stcxt_t *cxt, SV* sv, SV **re, SV **flags) {
+     XPUSHs(rv);
+     PUTBACK;
+     /* optimize to call the XS directly later */
+-    count = call_sv((SV*)cv, G_ARRAY);
++    count = call_sv((SV*)cv, G_LIST);
+     SPAGAIN;
+     if (count < 2)
+       CROAK(("re::regexp_pattern returned only %d results", (int)count));
 @@ -3567,7 +3581,10 @@ static int store_hook(
      int need_large_oids = 0;
  #endif

perl-Storable.spec

@@ -1,17 +1,15 @@
 %global base_version 3.25
 Name:           perl-Storable
 Epoch:          1
-Version:        3.31
+Version:        3.32
 Release:        1%{?dist}
 Summary:        Persistence for Perl data structures
 # Storable.pm:  GPL+ or Artistic
 License:        GPL-1.0-or-later OR Artistic-1.0-Perl
 URL:            https://metacpan.org/release/Storable
 Source0:        https://cpan.metacpan.org/authors/id/N/NW/NWCLARK/Storable-%{base_version}.tar.gz
-# Unbundled from perl 5.35.11
-Patch0:         Storable-3.25-Upgrade-to-3.26.patch
-# Unbundled from perl 5.37.11
-Patch1:         Storable-3.26-Upgrade-to-3.31.patch
+# Unbundled from perl 5.37.12
+Patch0:         Storable-3.25-Upgrade-to-3.32.patch
 BuildRequires:  coreutils
 BuildRequires:  gcc
 BuildRequires:  make
@@ -88,9 +86,7 @@ Tests from %{name}. Execute them
 with "%{_libexecdir}/%{name}/test".
 
 %prep
-%setup -q -n Storable-%{base_version}
-%patch -P0 -p1
-%patch -P1 -p1
+%autosetup -p1 -n Storable-%{base_version}
 
 # Help generators to recognize Perl scripts
 for F in t/*.t t/*.pl; do
@@ -140,6 +136,9 @@ make test
 %{_libexecdir}/%{name}
 
 %changelog
+* Mon Jun 12 2023 Jitka Plesnikova <jplesnik@redhat.com> - 1:3.32-1
+- Upgrade to 3.32 as provided in perl-5.37.12
+
 * Thu May 18 2023 Jitka Plesnikova <jplesnik@redhat.com> - 1:3.31-1
 - Upgrade to 3.31 as provided in perl-5.37.11