import perl-Storable-3.15-442.module+el8.3.0+6718+7f269185

4 years ago · d50dd4031b
commit d50dd4031b
6 changed files with 439 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
 SOURCES/Storable-3.15.tar.gz
--- a/.perl-Storable.metadata
+++ b/.perl-Storable.metadata
@ -0,0 +1 @@
 dfd5ef17f9cdca7c246a90cbde7948e4c0168670 SOURCES/Storable-3.15.tar.gz
--- a/SOURCES/Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch
+++ b/SOURCES/Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch
@ -0,0 +1,92 @@
 From 16f2ddb794883529d5a3ad8326974a07aae7e567 Mon Sep 17 00:00:00 2001
 From: Tony Cook <tony@develop-help.com>
 Date: Mon, 10 Jun 2019 10:17:20 +1000
 Subject: [PATCH] (perl #134179) include regexps in the seen objects table on
 retrieve
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Also, bless the regexp object, so freezing/thawing bless qr//, "Foo"
 returns a "Foo" blesses regexp.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 dist/Storable/Storable.xs |  5 +++--
 dist/Storable/t/regexp.t  |  4 +++-
 dist/Storable/t/weak.t    | 10 +++++++++-
 3 files changed, 15 insertions(+), 4 deletions(-)
 diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
 index ed729c94a6..6a45d8adf2 100644
 --- a/dist/Storable/Storable.xs
 +++ b/dist/Storable/Storable.xs
@@ -6808,8 +6808,7 @@ static SV *retrieve_regexp(pTHX_ stcxt_t *cxt, const char *cname) {
     SV *sv;
     dSP;
     I32 count;
 -
 -    PERL_UNUSED_ARG(cname);
 +    HV *stash;
     ENTER;
     SAVETMPS;
@@ -6857,6 +6856,8 @@ static SV *retrieve_regexp(pTHX_ stcxt_t *cxt, const char *cname) {
     sv = SvRV(re_ref);
     SvREFCNT_inc(sv);
 +    stash = cname ? gv_stashpv(cname, GV_ADD) : 0;
 +    SEEN_NN(sv, stash, 0);
     FREETMPS;
     LEAVE;
 diff --git a/dist/Storable/t/regexp.t b/dist/Storable/t/regexp.t
 index acf28cfec6..e7c6c7e94a 100644
 --- a/dist/Storable/t/regexp.t
 +++ b/dist/Storable/t/regexp.t
@@ -37,7 +37,7 @@ while (<DATA>) {
     }
 }
 -plan tests => 9 + 3*scalar(@tests);
 +plan tests => 10 + 3*scalar(@tests);
 SKIP:
 {
@@ -75,6 +75,8 @@ SKIP:
     ok(!eval { dclone($re) }, "should fail to clone, even with use re 'eval'");
 }
 +is(ref(dclone(bless qr//, "Foo")), "Foo", "check reblessed regexps");
 +
 for my $test (@tests) {
     my ($code, $not, $match, $matchc, $name) = @$test;
     my $qr = eval $code;
 diff --git a/dist/Storable/t/weak.t b/dist/Storable/t/weak.t
 index 220c70160f..48752fbec4 100644
 --- a/dist/Storable/t/weak.t
 +++ b/dist/Storable/t/weak.t
@@ -29,7 +29,7 @@ sub BEGIN {
 }
 use Test::More 'no_plan';
 -use Storable qw (store retrieve freeze thaw nstore nfreeze);
 +use Storable qw (store retrieve freeze thaw nstore nfreeze dclone);
 require 'testlib.pl';
 our $file;
 use strict;
@@ -143,3 +143,11 @@ foreach (@tests) {
   $stored = nfreeze $input;
   tester($stored, \&freeze_and_thaw, $testsub, 'network string');
 }
 +
 +{
 +    # [perl #134179] sv_upgrade from type 7 down to type 1
 +    my $foo = [qr//,[]];
 +    weaken($foo->[1][0][0] = $foo->[1]);
 +    my $out = dclone($foo); # croaked here
 +    is_deeply($out, $foo, "check they match");
 +}
 -- 
 2.20.1
--- a/SOURCES/Storable-3.16-Storable-make-count-large-enough.patch
+++ b/SOURCES/Storable-3.16-Storable-make-count-large-enough.patch
@ -0,0 +1,53 @@
 From f7724052d1b8b75339f5ec2cc3d5b35ca5d130b5 Mon Sep 17 00:00:00 2001
 From: Tony Cook <tony@develop-help.com>
 Date: Wed, 7 Aug 2019 11:13:53 +1000
 Subject: [PATCH] Storable: make count large enough
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 AvARRAY() could be very large, and we check for that at line 3807,
 but int was (potentially) too small to make that comparison
 meaningful.
 CID 174681.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 dist/Storable/Storable.xs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
 index 6a45d8adf2..d75125b839 100644
 --- a/dist/Storable/Storable.xs
 +++ b/dist/Storable/Storable.xs
@@ -3662,7 +3662,7 @@ static int store_hook(
     SV *ref;
     AV *av;
     SV **ary;
 -    int count;			/* really len3 + 1 */
 +    IV count;			/* really len3 + 1 */
     unsigned char flags;
     char *pv;
     int i;
@@ -3752,7 +3752,7 @@ static int store_hook(
     SvREFCNT_dec(ref);			/* Reclaim temporary reference */
     count = AvFILLp(av) + 1;
 -    TRACEME(("store_hook, array holds %d items", count));
 +    TRACEME(("store_hook, array holds %" IVdf " items", count));
     /*
      * If they return an empty list, it means they wish to ignore the
@@ -3986,7 +3986,7 @@ static int store_hook(
      */
     TRACEME(("SX_HOOK (recursed=%d) flags=0x%x "
 -             "class=%" IVdf " len=%" IVdf " len2=%" IVdf " len3=%d",
 +             "class=%" IVdf " len=%" IVdf " len2=%" IVdf " len3=%" IVdf,
              recursed, flags, (IV)classnum, (IV)len, (IV)len2, count-1));
     /* SX_HOOK <flags> [<extra>] */
 -- 
 2.20.1
--- a/SOURCES/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch
+++ b/SOURCES/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch
@ -0,0 +1,67 @@
 From ea1e86cfdf26a330e58ea377a80273de7110011b Mon Sep 17 00:00:00 2001
 From: Tony Cook <tony@develop-help.com>
 Date: Wed, 21 Aug 2019 11:37:58 +1000
 Subject: [PATCH] disallow vstring magic strings over 2GB-1
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 On reads this could result in buffer overflows, so avoid writing
 such large vstrings to avoid causing problems for older Storable.
 Since we no longer write such large vstrings, we don't want to accept
 them.
 I doubt that restricting versions strings to under 2GB-1 will have
 a practical effect on downstream users.
 fixes #17306
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 dist/Storable/Storable.xs | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)
 diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
 index c2335680ab..d27ac58012 100644
 --- a/dist/Storable/Storable.xs
 +++ b/dist/Storable/Storable.xs
@@ -2628,6 +2628,12 @@ static int store_scalar(pTHX_ stcxt_t *cxt, SV *sv)
             /* The macro passes this by address, not value, and a lot of
                called code assumes that it's 32 bits without checking.  */
             const SSize_t len = mg->mg_len;
 +            /* we no longer accept vstrings over I32_SIZE-1, so don't emit
 +               them, also, older Storables handle them badly.
 +            */
 +            if (len >= I32_MAX) {
 +                CROAK(("vstring too large to freeze"));
 +            }
             STORE_PV_LEN((const char *)mg->mg_ptr,
                          len, SX_VSTRING, SX_LVSTRING);
         }
@@ -5937,12 +5943,19 @@ static SV *retrieve_lvstring(pTHX_ stcxt_t *cxt, const char *cname)
 {
 #ifdef SvVOK
     char *s;
 -    I32 len;
 +    U32 len;
     SV *sv;
     RLEN(len);
 -    TRACEME(("retrieve_lvstring (#%d), len = %" IVdf,
 -             (int)cxt->tagnum, (IV)len));
 +    TRACEME(("retrieve_lvstring (#%d), len = %" UVuf,
 +             (int)cxt->tagnum, (UV)len));
 +
 +    /* Since we'll no longer produce such large vstrings, reject them
 +       here too.
 +    */
 +    if (len >= I32_MAX) {
 +        CROAK(("vstring too large to fetch"));
 +    }
     New(10003, s, len+1, char);
     SAFEPVREAD(s, len, s);
 -- 
 2.21.0
--- a/SPECS/perl-Storable.spec
+++ b/SPECS/perl-Storable.spec
@ -0,0 +1,225 @@
 Name:           perl-Storable
 Epoch:          1
 Version:        3.15
 Release:        442%{?dist}
 Summary:        Persistence for Perl data structures
 # __Storable__.pm:  GPL+ or Artistic
 License:        GPL+ or Artistic
 URL:            https://metacpan.org/release/Storable
 Source0:        https://cpan.metacpan.org/authors/id/X/XS/XSAWYERX/Storable-%{version}.tar.gz
 # Fix deep cloning regular expression objects, RT#134179,
 # in Perl upstream after 5.31.0
 Patch0:         Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch
 # Fix array length check in a store hook, in Perl upstream after 5.31.2
 Patch1:         Storable-3.16-Storable-make-count-large-enough.patch
 # Fix a buffer overflow when processing a vstring longer than 2^31-1,
 # Perl GH#17306, in perl upstream after 5.31.6
 Patch2:         perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  perl-devel
 BuildRequires:  perl-generators
 BuildRequires:  perl-interpreter
 BuildRequires:  perl(Config)
 BuildRequires:  perl(Cwd)
 BuildRequires:  perl(ExtUtils::MakeMaker) >= 6.76
 BuildRequires:  perl(File::Copy)
 BuildRequires:  perl(File::Spec) >= 0.8
 BuildRequires:  perl(strict)
 BuildRequires:  perl(warnings)
 # Win32 not used on Linux
 # Win32API::File not used on Linux
 # Run-time:
 BuildRequires:  perl(Carp)
 BuildRequires:  perl(Exporter)
 # Fcntl is optional, but locking is good
 BuildRequires:  perl(Fcntl)
 BuildRequires:  perl(IO::File)
 # Log::Agent is optional
 BuildRequires:  perl(XSLoader)
 # Tests:
 BuildRequires:  perl(base)
 BuildRequires:  perl(bytes)
 BuildRequires:  perl(File::Temp)
 BuildRequires:  perl(integer)
 BuildRequires:  perl(overload)
 BuildRequires:  perl(utf8)
 BuildRequires:  perl(Test::More)
 BuildRequires:  perl(threads)
 BuildRequires:  perl(Safe)
 BuildRequires:  perl(Scalar::Util)
 BuildRequires:  perl(Tie::Array)
 # Optional tests:
 # gzip not used
 # Data::Dump not used
 # Data::Dumper not used
 BuildRequires:  perl(B::Deparse) >= 0.61
 BuildRequires:  perl(Digest::MD5)
 BuildRequires:  perl(Hash::Util)
 # Test::LeakTrace omitted because it's not a core module requried for building
 # core Storable.
 BuildRequires:  perl(Tie::Hash)
 Requires:       perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
 Requires:       perl(Config)
 # Fcntl is optional, but locking is good
 Requires:       perl(Fcntl)
 Requires:       perl(IO::File)
 %{?perl_default_filter}
 %description
 The Storable package brings persistence to your Perl data structures
 containing scalar, array, hash or reference objects, i.e. anything that
 can be conveniently stored to disk and retrieved at a later time.
 %prep
 %setup -q -n Storable-%{version}
 %patch0 -p3
 %patch1 -p3
 %patch2 -p3
 %build
 perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 OPTIMIZE="$RPM_OPT_FLAGS"
 %{make_build}
 %install
 %{make_install}
 find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -delete
 find $RPM_BUILD_ROOT -type f -name '*.3pm' -size 0 -delete
 %{_fixperms} $RPM_BUILD_ROOT/*
 %check
 unset PERL_CORE PERL_TEST_MEMORY PERL_RUN_SLOW_TESTS
 make test
 %files
 %doc ChangeLog README
 %{perl_vendorarch}/auto/*
 %{perl_vendorarch}/Storable*
 %{_mandir}/man3/*
 %changelog
 * Mon Nov 25 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-442
 - Fix a buffer overflow when processing a vstring longer than 2^31-1
  (Perl GH#17306)
 * Thu Aug 08 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-441
 - Fix array length check in a store hook
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.15-440
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Tue Jun 11 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-439
 - Fix deep cloning regular expression objects (RT#134179)
 * Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:3.15-438
 - Increase release to favour standalone package
 * Wed Apr 24 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-1
 - 3.15 bump
 * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.11-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Mon Jan 07 2019 Petr Pisar <ppisar@redhat.com> - 1:3.11-6
 - Storable-3.11 source archive repackaged without a t/CVE-2015-1592.inc file
  (RT#133706)
 * Mon Aug 27 2018 Petr Pisar <ppisar@redhat.com> - 1:3.11-5
 - Fix recursion check (RT#133326)
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.11-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Tue Jun 26 2018 Jitka Plesnikova <jplesnik@redhat.com> - 1:3.11-3
 - Perl 5.28 rebuild
 * Tue Jun 05 2018 Petr Pisar <ppisar@redhat.com> - 1:3.11-2
 - Do not package empty Storable::Limit(3pm) manual page
 * Mon Apr 30 2018 Petr Pisar <ppisar@redhat.com> - 1:3.11-1
 - 3.11 bump
 * Mon Apr 23 2018 Petr Pisar <ppisar@redhat.com> - 1:3.09-1
 - 3.09 bump
 * Thu Apr 19 2018 Petr Pisar <ppisar@redhat.com> - 1:3.06-1
 - 3.06 bump
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.62-396
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.62-395
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 * Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.62-394
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 * Sat Jun 03 2017 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.62-393
 - Perl 5.26 rebuild
 * Thu May 11 2017 Petr Pisar <ppisar@redhat.com> - 1:2.62-1
 - Upgrade to 2.62 as provided in perl-5.25.12
 * Mon Feb 06 2017 Petr Pisar <ppisar@redhat.com> - 1:2.56-368
 - Fix a stack buffer overflow in deserialization of hooks (RT#130635)
 - Fix a memory leak of a class name from retrieve_hook() on an exception
  (RT#130635)
 * Tue Dec 20 2016 Petr Pisar <ppisar@redhat.com> - 1:2.56-367
 - Fix crash in Storable when deserializing malformed code reference
  (RT#68348, RT#130098)
 * Wed Aug 03 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.56-366
 - Avoid loading optional modules from default . (CVE-2016-1238)
 * Sat May 14 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.56-365
 - Increase release to favour standalone package
 * Wed May 11 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.56-1
 - 2.56 bump in order to dual-live with perl 5.24
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.53-347
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 * Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:2.53-346
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 * Thu Jun 04 2015 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.53-345
 - Increase release to favour standalone package
 * Wed Jun 03 2015 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.53-2
 - Perl 5.22 rebuild
 * Wed May 06 2015 Petr Pisar <ppisar@redhat.com> - 1:2.53-1
 - 2.53 bump in order to dual-live with perl 5.22
 * Wed Sep 03 2014 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.51-4
 - Increase Epoch to favour standalone package
 * Tue Aug 26 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.51-3
 - Perl 5.20 rebuild
 * Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.51-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
 * Mon Jul 07 2014 Petr Pisar <ppisar@redhat.com> - 2.51-1
 - 2.51 bump
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.45-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
 * Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.45-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
 * Mon Jul 15 2013 Petr Pisar <ppisar@redhat.com> - 2.45-1
 - 2.45 bump
 * Fri Jul 12 2013 Petr Pisar <ppisar@redhat.com> - 2.39-3
 - Link minimal build-root packages against libperl.so explicitly
 * Tue Jun 11 2013 Petr Pisar <ppisar@redhat.com> - 2.39-2
 - Do not export private libraries
 * Fri May 24 2013 Petr Pisar <ppisar@redhat.com> 2.39-1
 - Specfile autogenerated by cpanspec 1.78.
		`@ -0,0 +1 @@`
							`dfd5ef17f9cdca7c246a90cbde7948e4c0168670 SOURCES/Storable-3.15.tar.gz`