0.35 bump
This commit is contained in:
Petr Písař
parent
6301165364
commit
b4ba8eabfb
|
|
@ -1,3 +1,4 @@
|
|||
/Sys-Syslog-0.32.tar.gz
|
||||
/Sys-Syslog-0.33.tar.gz
|
||||
/Sys-Syslog-0.34.tar.gz
|
||||
/Sys-Syslog-0.35.tar.gz
|
||||
|
|
|
|||
|
|
@ -1,34 +0,0 @@
|
|||
From 15488839b5e8141d120db913c22fdbada9597b93 Mon Sep 17 00:00:00 2001
|
||||
From: Tony Cook <tony@develop-help.com>
|
||||
Date: Thu, 28 Jul 2016 13:34:55 +1000
|
||||
Subject: [PATCH] CVE-2016-1238: avoid loading optional modules from default .
|
||||
|
||||
Sys::Syslog treats two modules as optional, attemptting to load them
|
||||
and not requiring them (Win32 only.)
|
||||
|
||||
If a user runs a program using Sys::Syslog in a world writable
|
||||
directory (like %windir%\Temp) a local attacker can create
|
||||
Win32\EventLog.pm in that directory to run code as the running user.
|
||||
|
||||
This patch temporarily removes the default . from @INC to prevent
|
||||
that attack.
|
||||
---
|
||||
Syslog.pm | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/Syslog.pm b/Syslog.pm
|
||||
index 7978f04..06169a8 100644
|
||||
--- a/Syslog.pm
|
||||
+++ b/Syslog.pm
|
||||
@@ -918,6 +918,8 @@ sub silent_eval (&) {
|
||||
sub can_load {
|
||||
my ($module, $verbose) = @_;
|
||||
local($SIG{__DIE__}, $SIG{__WARN__}, $@);
|
||||
+ local @INC = @INC;
|
||||
+ pop @INC if $INC[-1] eq '.';
|
||||
my $loaded = eval "use $module; 1";
|
||||
warn $@ if not $loaded and $verbose;
|
||||
return $loaded
|
||||
--
|
||||
2.1.4
|
||||
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
Name: perl-Sys-Syslog
|
||||
Version: 0.34
|
||||
Release: 4%{?dist}
|
||||
Version: 0.35
|
||||
Release: 1%{?dist}
|
||||
Summary: Perl interface to the UNIX syslog(3) calls
|
||||
# README: GPL+ or Artistic
|
||||
# ppport.h: GPL+ or Artistic
|
||||
|
|
@ -11,8 +11,6 @@ License: GPL+ or Artistic
|
|||
Group: Development/Libraries
|
||||
URL: http://search.cpan.org/dist/Sys-Syslog/
|
||||
Source0: http://www.cpan.org/authors/id/S/SA/SAPER/Sys-Syslog-%{version}.tar.gz
|
||||
# Avoid loading optional modules from default . (CVE-2016-1238)
|
||||
Patch0: Sys-Syslog-0.34-CVE-2016-1238-avoid-loading-optional-modules-from.patch
|
||||
BuildRequires: coreutils
|
||||
BuildRequires: findutils
|
||||
BuildRequires: gcc
|
||||
|
|
@ -42,6 +40,7 @@ BuildRequires: perl(warnings::register)
|
|||
BuildRequires: perl(XSLoader)
|
||||
# DynaLoader not used
|
||||
# Tests:
|
||||
BuildRequires: perl(FileHandle)
|
||||
BuildRequires: perl(Data::Dumper)
|
||||
BuildRequires: perl(Test::More)
|
||||
# Optional tests:
|
||||
|
|
@ -67,7 +66,6 @@ a string priority and a list of printf() arguments just like at syslog(3).
|
|||
|
||||
%prep
|
||||
%setup -q -n Sys-Syslog-%{version}
|
||||
%patch0 -p1
|
||||
|
||||
chmod -x eg/*
|
||||
# Inhibit bundled syslog.h
|
||||
|
|
@ -100,6 +98,9 @@ make test
|
|||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Mon Sep 05 2016 Petr Pisar <ppisar@redhat.com> - 0.35-1
|
||||
- 0.35 bump
|
||||
|
||||
* Wed Aug 03 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.34-4
|
||||
- Avoid loading optional modules from default . (CVE-2016-1238)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue