From 942dbc03dfa7d7b0367aea597bee6e4ac0d346c2 Mon Sep 17 00:00:00 2001 From: Jitka Plesnikova Date: Mon, 12 Jun 2023 16:12:28 +0200 Subject: [PATCH] Upgrade to 3.32 as provided in perl-5.37.12 --- Storable-3.25-Upgrade-to-3.26.patch | 62 -------- ...tch => Storable-3.25-Upgrade-to-3.32.patch | 137 ++++++++++++++++-- perl-Storable.spec | 15 +- 3 files changed, 132 insertions(+), 82 deletions(-) delete mode 100644 Storable-3.25-Upgrade-to-3.26.patch rename Storable-3.26-Upgrade-to-3.31.patch => Storable-3.25-Upgrade-to-3.32.patch (71%) diff --git a/Storable-3.25-Upgrade-to-3.26.patch b/Storable-3.25-Upgrade-to-3.26.patch deleted file mode 100644 index fbd35e2..0000000 --- a/Storable-3.25-Upgrade-to-3.26.patch +++ /dev/null @@ -1,62 +0,0 @@ -From f987887d23adbbc950435921d0585c005cb03258 Mon Sep 17 00:00:00 2001 -From: Jitka Plesnikova -Date: Thu, 12 May 2022 12:34:06 +0200 -Subject: [PATCH] Upgrade to 3.26 - ---- - Makefile.PL | 2 +- - Storable.pm | 2 +- - Storable.xs | 4 ++-- - 3 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/Makefile.PL b/Makefile.PL -index e03e141..b705654 100644 ---- a/Makefile.PL -+++ b/Makefile.PL -@@ -29,7 +29,7 @@ WriteMakefile( - 'ExtUtils::MakeMaker' => '6.31', - }, - TEST_REQUIRES => { -- 'Test::More' => '0.41', -+ 'Test::More' => '0.82', - }, - ) - : () ), -diff --git a/Storable.pm b/Storable.pm -index 8e6ab25..ef417c6 100644 ---- a/Storable.pm -+++ b/Storable.pm -@@ -28,7 +28,7 @@ our @EXPORT_OK = qw( - our ($canonical, $forgive_me); - - BEGIN { -- our $VERSION = '3.25'; -+ our $VERSION = '3.26'; - } - - our $recursion_limit; -diff --git a/Storable.xs b/Storable.xs -index 6944b76..53c838c 100644 ---- a/Storable.xs -+++ b/Storable.xs -@@ -2187,7 +2187,7 @@ static AV *array_call(pTHX_ - XPUSHs(sv_2mortal(newSViv(cloning))); /* Cloning flag */ - PUTBACK; - -- count = call_sv(hook, G_ARRAY); /* Go back to Perl code */ -+ count = call_sv(hook, G_LIST); /* Go back to Perl code */ - - SPAGAIN; - -@@ -3318,7 +3318,7 @@ static int get_regexp(pTHX_ stcxt_t *cxt, SV* sv, SV **re, SV **flags) { - XPUSHs(rv); - PUTBACK; - /* optimize to call the XS directly later */ -- count = call_sv((SV*)cv, G_ARRAY); -+ count = call_sv((SV*)cv, G_LIST); - SPAGAIN; - if (count < 2) - CROAK(("re::regexp_pattern returned only %d results", (int)count)); --- -2.34.3 - diff --git a/Storable-3.26-Upgrade-to-3.31.patch b/Storable-3.25-Upgrade-to-3.32.patch similarity index 71% rename from Storable-3.26-Upgrade-to-3.31.patch rename to Storable-3.25-Upgrade-to-3.32.patch index c9e591f..e67bc46 100644 --- a/Storable-3.26-Upgrade-to-3.31.patch +++ b/Storable-3.25-Upgrade-to-3.32.patch @@ -1,32 +1,127 @@ -From c898c00503adcf74e9d6b96c3c6feb2539a19664 Mon Sep 17 00:00:00 2001 +From 93b4cf22054a0e3f9f5d4ae8eaec85e8ca28944c Mon Sep 17 00:00:00 2001 From: Jitka Plesnikova -Date: Thu, 18 May 2023 17:12:30 +0200 -Subject: [PATCH] Upgrade to 3.31 +Date: Mon, 12 Jun 2023 16:00:23 +0200 +Subject: [PATCH] Upgrade to 3.32 --- - Storable.pm | 2 +- - Storable.xs | 107 ++++++++++++++++++++++++++++++++++++++++++---------- - t/blessed.t | 53 +++++++++++++++++++++++++- - t/boolean.t | 84 +++++++++++++++++++++++++++++++++++++++++ + ChangeLog | 29 ++++++++++++++ + Makefile.PL | 2 +- + Storable.pm | 30 ++++++++------ + Storable.xs | 111 ++++++++++++++++++++++++++++++++++++++++++---------- + t/blessed.t | 53 ++++++++++++++++++++++++- + t/boolean.t | 84 +++++++++++++++++++++++++++++++++++++++ t/malice.t | 6 +-- - 5 files changed, 228 insertions(+), 24 deletions(-) + 7 files changed, 278 insertions(+), 37 deletions(-) create mode 100644 t/boolean.t +diff --git a/ChangeLog b/ChangeLog +index b1f4790..6619543 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,32 @@ ++2023-05-26 21:36:00 demerphq ++ version 3.32 ++ * Update security advisory to be more clear ++ ++2023-02-26 00:31:32 demerphq ++ version 3.31 ++ * Fixup for ppport fix in 3.30 ++ ++2023-02-22 09:56:27 leont ++ version 3.30 ++ * Use ppport for all modules in dist. ++ ++2023-01-04 17:33:24 iabyn ++ version 3.29 ++ * Store code fixes identified from refcounted stack patch ++ ++2022-11-08 10:12:46 tony ++ version 3.28 ++ * Store hook error reporting improvements ++ * Store hook handles regex objects properly. ++ ++2022-06-20 20:32:29 toddr ++ version 3.27 ++ * Use cBOOL instead of !! in xs code ++ ++2022-04-18 17:36:00 toddr ++ version 3.26 ++ * Conform to ppport.h 3.68 recommendations ++ + 2021-08-30 07:46:52 nwclark + version 3.25 + * No changes from previous version +diff --git a/Makefile.PL b/Makefile.PL +index e03e141..b705654 100644 +--- a/Makefile.PL ++++ b/Makefile.PL +@@ -29,7 +29,7 @@ WriteMakefile( + 'ExtUtils::MakeMaker' => '6.31', + }, + TEST_REQUIRES => { +- 'Test::More' => '0.41', ++ 'Test::More' => '0.82', + }, + ) + : () ), diff --git a/Storable.pm b/Storable.pm -index ef417c6..32fd772 100644 +index 8e6ab25..d531f2b 100644 --- a/Storable.pm +++ b/Storable.pm @@ -28,7 +28,7 @@ our @EXPORT_OK = qw( our ($canonical, $forgive_me); BEGIN { -- our $VERSION = '3.26'; -+ our $VERSION = '3.31'; +- our $VERSION = '3.25'; ++ our $VERSION = '3.32'; } our $recursion_limit; +@@ -1197,11 +1197,16 @@ compartment: + + =head1 SECURITY WARNING + +-B ++B There is ++B way to configure Storable so that it can be used safely to process ++untrusted data. While there I various options that can be used to ++mitigate specific security issues these options do I comprise a ++complete safety net for the user, and processing untrusted data may ++result in segmentation faults, remote code execution, or privilege ++escalation. The following lists some known features which represent ++security issues that should be considered by users of this module. + +-Some features of Storable can lead to security vulnerabilities if you +-accept Storable documents from untrusted sources with the default +-flags. Most obviously, the optional (off by default) CODE reference ++Most obviously, the optional (off by default) CODE reference + serialization feature allows transfer of code to the deserializing + process. Furthermore, any serialized object will cause Storable to + helpfully load the module corresponding to the class of the object in +@@ -1224,12 +1229,15 @@ With the default setting of C<$Storable::flags> = 6, creating or destroying + random objects, even renamed objects can be controlled by an attacker. + See CVE-2015-1592 and its metasploit module. + +-If your application requires accepting data from untrusted sources, +-you are best off with a less powerful and more-likely safe +-serialization format and implementation. If your data is sufficiently +-simple, L, L or L are the best +-choices and offer maximum interoperability, but note that Sereal is +-L. ++If your application requires accepting data from untrusted sources, you ++are best off with a less powerful and more-likely safe serialization ++format and implementation. If your data is sufficiently simple, ++L or L are fine alternatives. For ++more complex data structures containing various Perl specific data types ++like regular expressions or aliased data L is the best ++alternative and offers maximum interoperability. Note that Sereal is ++L, but you can configure ++the encoder and decoder to mitigate any security issues. + + =head1 WARNING + diff --git a/Storable.xs b/Storable.xs -index 53c838c..a558dd7 100644 +index 6944b76..a558dd7 100644 --- a/Storable.xs +++ b/Storable.xs @@ -16,18 +16,13 @@ @@ -101,6 +196,15 @@ index 53c838c..a558dd7 100644 (sv_retrieve_t)retrieve_other, /* SX_LAST */ }; +@@ -2187,7 +2190,7 @@ static AV *array_call(pTHX_ + XPUSHs(sv_2mortal(newSViv(cloning))); /* Cloning flag */ + PUTBACK; + +- count = call_sv(hook, G_ARRAY); /* Go back to Perl code */ ++ count = call_sv(hook, G_LIST); /* Go back to Perl code */ + + SPAGAIN; + @@ -2454,6 +2457,16 @@ static int store_scalar(pTHX_ stcxt_t *cxt, SV *sv) pv = SvPV(sv, len); /* We know it's SvPOK */ goto string; /* Share code below */ @@ -126,6 +230,15 @@ index 53c838c..a558dd7 100644 len = SvCUR(text); reallen = strlen(SvPV_nolen(text)); +@@ -3318,7 +3332,7 @@ static int get_regexp(pTHX_ stcxt_t *cxt, SV* sv, SV **re, SV **flags) { + XPUSHs(rv); + PUTBACK; + /* optimize to call the XS directly later */ +- count = call_sv((SV*)cv, G_ARRAY); ++ count = call_sv((SV*)cv, G_LIST); + SPAGAIN; + if (count < 2) + CROAK(("re::regexp_pattern returned only %d results", (int)count)); @@ -3567,7 +3581,10 @@ static int store_hook( int need_large_oids = 0; #endif diff --git a/perl-Storable.spec b/perl-Storable.spec index c103563..5c5f4aa 100644 --- a/perl-Storable.spec +++ b/perl-Storable.spec @@ -1,17 +1,15 @@ %global base_version 3.25 Name: perl-Storable Epoch: 1 -Version: 3.31 +Version: 3.32 Release: 1%{?dist} Summary: Persistence for Perl data structures # Storable.pm: GPL+ or Artistic License: GPL-1.0-or-later OR Artistic-1.0-Perl URL: https://metacpan.org/release/Storable Source0: https://cpan.metacpan.org/authors/id/N/NW/NWCLARK/Storable-%{base_version}.tar.gz -# Unbundled from perl 5.35.11 -Patch0: Storable-3.25-Upgrade-to-3.26.patch -# Unbundled from perl 5.37.11 -Patch1: Storable-3.26-Upgrade-to-3.31.patch +# Unbundled from perl 5.37.12 +Patch0: Storable-3.25-Upgrade-to-3.32.patch BuildRequires: coreutils BuildRequires: gcc BuildRequires: make @@ -88,9 +86,7 @@ Tests from %{name}. Execute them with "%{_libexecdir}/%{name}/test". %prep -%setup -q -n Storable-%{base_version} -%patch -P0 -p1 -%patch -P1 -p1 +%autosetup -p1 -n Storable-%{base_version} # Help generators to recognize Perl scripts for F in t/*.t t/*.pl; do @@ -140,6 +136,9 @@ make test %{_libexecdir}/%{name} %changelog +* Mon Jun 12 2023 Jitka Plesnikova - 1:3.32-1 +- Upgrade to 3.32 as provided in perl-5.37.12 + * Thu May 18 2023 Jitka Plesnikova - 1:3.31-1 - Upgrade to 3.31 as provided in perl-5.37.11