rpms
/
perl-File-Path
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import perl-File-Path-2.12-368.module+el8.1.0+2926+ce7246ad

Browse Source
c8-stream-5.24 imports/c8-stream-5.24/perl-File-Path-2.12-368.module+el8.1.0+2926+ce7246ad
CentOS Sources 5 years ago committed by MSVSphere Packaging Team
commit 86832308fc
4 changed files with 293 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
.gitignore vendored
Unescape View File

@ -0,0 +1 @@
SOURCES/File-Path-2.12.tar.gz

1
.perl-File-Path.metadata
Unescape View File

@ -0,0 +1 @@
346a8b06e02b3bf517e23c3d242b3b2d2a7fc5ac SOURCES/File-Path-2.12.tar.gz

165
SOURCES/File-Path-2.12-Prevent-directory-chmod-race-attack.patch
Unescape View File

@ -0,0 +1,165 @@
From e9cc25a6109e9191bcbf59a967ed6c60b0156f72 Mon Sep 17 00:00:00 2001
From: John Lightsey <john@nixnuts.net>
Date: Tue, 2 May 2017 12:03:52 -0500
Subject: [PATCH] Prevent directory chmod race attack.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2017-6512 is a race condition attack where the chmod() of directories
that cannot be entered is misused to change the permissions on other
files or directories on the system. This has been corrected by limiting
the directory-permission loosening logic to systems where fchmod() is
supported.
Petr Písař: Ported to 2.12.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
lib/File/Path.pm | 39 +++++++++++++++++++++++++--------------
t/Path.t | 40 ++++++++++++++++++++++++++--------------
2 files changed, 51 insertions(+), 28 deletions(-)
diff --git a/lib/File/Path.pm b/lib/File/Path.pm
index 36f12cc..871f43a 100644
--- a/lib/File/Path.pm
+++ b/lib/File/Path.pm
@@ -354,21 +354,32 @@ sub _rmtree {
# see if we can escalate privileges to get in
# (e.g. funny protection mask such as -w- instead of rwx)
- $perm &= oct '7777';
- my $nperm = $perm | oct '700';
- if (
- !(
- $arg->{safe}
- or $nperm == $perm
- or chmod( $nperm, $root )
- )
- )
- {
- _error( $arg,
- "cannot make child directory read-write-exec", $canon );
- next ROOT_DIR;
+ # This uses fchmod to avoid traversing outside of the proper
+ # location (CVE-2017-6512)
+ my $root_fh;
+ if (open($root_fh, '<', $root)) {
+ my ($fh_dev, $fh_inode) = (stat $root_fh )[0,1];
+ $perm &= oct '7777';
+ my $nperm = $perm | oct '700';
+ local $@;
+ if (
+ !(
+ $arg->{safe}
+ or $nperm == $perm
+ or !-d _
+ or $fh_dev ne $ldev
+ or $fh_inode ne $lino
+ or eval { chmod( $nperm, $root_fh ) }
+ )
+ )
+ {
+ _error( $arg,
+ "cannot make child directory read-write-exec", $canon );
+ next ROOT_DIR;
+ }
+ close $root_fh;
}
- elsif ( !chdir($root) ) {
+ if ( !chdir($root) ) {
_error( $arg, "cannot chdir to child", $canon );
next ROOT_DIR;
}
diff --git a/t/Path.t b/t/Path.t
index 5644f57..fffc49c 100755
--- a/t/Path.t
+++ b/t/Path.t
@@ -3,7 +3,7 @@
use strict;
-use Test::More tests => 127;
+use Test::More tests => 126;
use Config;
use Fcntl ':mode';
use lib 't/';
@@ -17,6 +17,13 @@ BEGIN {
my $Is_VMS = $^O eq 'VMS';
+my $fchmod_supported = 0;
+if (open my $fh, curdir()) {
+ my ($perm) = (stat($fh))[2];
+ $perm &= 07777;
+ eval { $fchmod_supported = chmod( $perm, $fh); };
+}
+
# first check for stupid permissions second for full, so we clean up
# behind ourselves
for my $perm (0111,0777) {
@@ -298,16 +305,19 @@ is($created[0], $dir, "created directory (old style 3 mode undef) cross-check");
is(rmtree($dir, 0, undef), 1, "removed directory 3 verbose undef");
-$dir = catdir($tmp_base,'G');
-$dir = VMS::Filespec::unixify($dir) if $Is_VMS;
+SKIP: {
+ skip "fchmod of directories not supported on this platform", 3 unless $fchmod_supported;
+ $dir = catdir($tmp_base,'G');
+ $dir = VMS::Filespec::unixify($dir) if $Is_VMS;
-@created = mkpath($dir, undef, 0200);
+ @created = mkpath($dir, undef, 0400);
-is(scalar(@created), 1, "created write-only dir");
+ is(scalar(@created), 1, "created read-only dir");
-is($created[0], $dir, "created write-only directory cross-check");
+ is($created[0], $dir, "created read-only directory cross-check");
-is(rmtree($dir), 1, "removed write-only dir");
+ is(rmtree($dir), 1, "removed read-only dir");
+}
# borderline new-style heuristics
if (chdir $tmp_base) {
@@ -449,26 +459,28 @@ SKIP: {
}
SKIP : {
- my $skip_count = 19;
+ my $skip_count = 18;
# this test will fail on Windows, as per:
# http://perldoc.perl.org/perlport.html#chmod
skip "Windows chmod test skipped", $skip_count
if $^O eq 'MSWin32';
+ skip "fchmod() on directories is not supported on this platform", $skip_count
+ unless $fchmod_supported;
my $mode;
my $octal_mode;
my @inputs = (
- 0777, 0700, 0070, 0007,
- 0333, 0300, 0030, 0003,
- 0111, 0100, 0010, 0001,
- 0731, 0713, 0317, 0371, 0173, 0137,
- 00 );
+ 0777, 0700, 0470, 0407,
+ 0433, 0400, 0430, 0403,
+ 0111, 0100, 0110, 0101,
+ 0731, 0713, 0317, 0371,
+ 0173, 0137);
my $input;
my $octal_input;
- $dir = catdir($tmp_base, 'chmod_test');
foreach (@inputs) {
$input = $_;
+ $dir = catdir($tmp_base, sprintf("chmod_test%04o", $input));
# We can skip from here because 0 is last in the list.
skip "Mode of 0 means assume user defaults on VMS", 1
if ($input == 0 && $Is_VMS);
--
2.9.4

126
SPECS/perl-File-Path.spec
Unescape View File

@ -0,0 +1,126 @@
Name: perl-File-Path
Version: 2.12
Release: 368%{?dist}
Summary: Create or remove directory trees
License: GPL+ or Artistic
Group: Development/Libraries
URL: http://search.cpan.org/dist/File-Path/
Source0: http://www.cpan.org/authors/id/R/RI/RICHE/File-Path-%{version}.tar.gz
# Fix CVE-2017-6512 (setting arbitrary mode on an arbitrary file in rmtree()
# and remove_tree()), bug #1457834, CPAN RT#121951, in upstream 2.13
Patch0: File-Path-2.12-Prevent-directory-chmod-race-attack.patch
BuildArch: noarch
BuildRequires: coreutils
BuildRequires: findutils
BuildRequires: make
BuildRequires: perl
BuildRequires: perl-generators
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(strict)
# ExtUtils::MakeMaker::Coverage not used
# Run-time:
BuildRequires: perl(Carp)
BuildRequires: perl(Cwd)
BuildRequires: perl(Exporter)
BuildRequires: perl(File::Basename)
BuildRequires: perl(File::Spec)
# Symbol not used
BuildRequires: perl(vars)
# Tests:
BuildRequires: perl(base)
BuildRequires: perl(Config)
BuildRequires: perl(Fcntl)
BuildRequires: perl(File::Spec::Functions)
BuildRequires: perl(lib)
BuildRequires: perl(SelectSaver)
BuildRequires: perl(Test::More)
BuildRequires: perl(warnings)
Requires: perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
Requires: perl(Carp)
%description
This module provides a convenient way to create directories of arbitrary
depth and to delete an entire directory subtree from the file system.
%prep
%setup -q -n File-Path-%{version}
%patch0 -p1
%build
perl Makefile.PL INSTALLDIRS=vendor
make %{?_smp_mflags}
%install
make pure_install DESTDIR=$RPM_BUILD_ROOT
find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} \;
%{_fixperms} $RPM_BUILD_ROOT/*
%check
make test
%files
%doc Changes README
%{perl_vendorlib}/*
%{_mandir}/man3/*
%changelog
* Fri Mar 29 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.12-368
- Rebuild with enable hardening (bug #1636329)
* Thu Jun 01 2017 Petr Pisar <ppisar@redhat.com> - 2.12-367
- Fix CVE-2017-6512 (setting arbitrary mode on an arbitrary file in rmtree()
and remove_tree()) (bug #1457834)
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-366
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Sat May 14 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.12-365
- Increase release to favour standalone package
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.12-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Mon Oct 12 2015 Petr Pisar <ppisar@redhat.com> - 2.12-1
- 2.12 bump
* Mon Jul 20 2015 Petr Pisar <ppisar@redhat.com> - 2.11-1
- 2.11 bump
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.09-347
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Wed Jun 10 2015 Jitka Plesnikova <jplesnik@redhat.com> - 2.09-346
- Perl 5.22 re-rebuild of bootstrapped packages
* Thu Jun 04 2015 Jitka Plesnikova <jplesnik@redhat.com> - 2.09-345
- Increase release to favour standalone package
* Wed Jun 03 2015 Jitka Plesnikova <jplesnik@redhat.com> - 2.09-312
- Perl 5.22 rebuild
* Sun Sep 07 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.09-311
- Perl 5.20 re-rebuild of bootstrapped packages
* Wed Sep 03 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.09-310
- Increase release to favour standalone package
* Tue Aug 26 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.09-294
- Perl 5.20 rebuild
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.09-293
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Wed Aug 14 2013 Jitka Plesnikova <jplesnik@redhat.com> - 2.09-292
- Perl 5.18 re-rebuild of bootstrapped packages
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.09-291
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Mon Jul 15 2013 Petr Pisar <ppisar@redhat.com> - 2.09-290
- Increase release to favour standalone package
* Fri Jul 12 2013 Petr Pisar <ppisar@redhat.com> - 2.09-2
- Link minimal build-root packages against libperl.so explicitly
* Fri Mar 22 2013 Petr Pisar <ppisar@redhat.com> 2.09-1
- Specfile autogenerated by cpanspec 1.78.
Write Preview
Loading…
Cancel
Save