import perl-Storable-3.15-442.module+el8.3.0+6718+7f269185

4 years ago · d50dd4031b
commit d50dd4031b
6 changed files with 439 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+SOURCES/Storable-3.15.tar.gz
--- a/.perl-Storable.metadata
+++ b/.perl-Storable.metadata
@ -0,0 +1 @@
+dfd5ef17f9cdca7c246a90cbde7948e4c0168670 SOURCES/Storable-3.15.tar.gz
--- a/SOURCES/Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch
+++ b/SOURCES/Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch
@ -0,0 +1,92 @@
+From 16f2ddb794883529d5a3ad8326974a07aae7e567 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Mon, 10 Jun 2019 10:17:20 +1000
+Subject: [PATCH] (perl #134179) include regexps in the seen objects table on
+ retrieve
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Also, bless the regexp object, so freezing/thawing bless qr//, "Foo"
+returns a "Foo" blesses regexp.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ dist/Storable/Storable.xs |  5 +++--
+ dist/Storable/t/regexp.t  |  4 +++-
+ dist/Storable/t/weak.t    | 10 +++++++++-
+ 3 files changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
+index ed729c94a6..6a45d8adf2 100644
+--- a/dist/Storable/Storable.xs
+++ b/dist/Storable/Storable.xs
+@@ -6808,8 +6808,7 @@ static SV *retrieve_regexp(pTHX_ stcxt_t *cxt, const char *cname) {
+     SV *sv;
+     dSP;
+     I32 count;
+-
+-    PERL_UNUSED_ARG(cname);
+    HV *stash;
+ 
+     ENTER;
+     SAVETMPS;
+@@ -6857,6 +6856,8 @@ static SV *retrieve_regexp(pTHX_ stcxt_t *cxt, const char *cname) {
+ 
+     sv = SvRV(re_ref);
+     SvREFCNT_inc(sv);
+    stash = cname ? gv_stashpv(cname, GV_ADD) : 0;
+    SEEN_NN(sv, stash, 0);
+     
+     FREETMPS;
+     LEAVE;
+diff --git a/dist/Storable/t/regexp.t b/dist/Storable/t/regexp.t
+index acf28cfec6..e7c6c7e94a 100644
+--- a/dist/Storable/t/regexp.t
+++ b/dist/Storable/t/regexp.t
+@@ -37,7 +37,7 @@ while (<DATA>) {
+     }
+ }
+ 
+-plan tests => 9 + 3*scalar(@tests);
+plan tests => 10 + 3*scalar(@tests);
+ 
+ SKIP:
+ {
+@@ -75,6 +75,8 @@ SKIP:
+     ok(!eval { dclone($re) }, "should fail to clone, even with use re 'eval'");
+ }
+ 
+is(ref(dclone(bless qr//, "Foo")), "Foo", "check reblessed regexps");
+
+ for my $test (@tests) {
+     my ($code, $not, $match, $matchc, $name) = @$test;
+     my $qr = eval $code;
+diff --git a/dist/Storable/t/weak.t b/dist/Storable/t/weak.t
+index 220c70160f..48752fbec4 100644
+--- a/dist/Storable/t/weak.t
+++ b/dist/Storable/t/weak.t
+@@ -29,7 +29,7 @@ sub BEGIN {
+ }
+ 
+ use Test::More 'no_plan';
+-use Storable qw (store retrieve freeze thaw nstore nfreeze);
+use Storable qw (store retrieve freeze thaw nstore nfreeze dclone);
+ require 'testlib.pl';
+ our $file;
+ use strict;
+@@ -143,3 +143,11 @@ foreach (@tests) {
+   $stored = nfreeze $input;
+   tester($stored, \&freeze_and_thaw, $testsub, 'network string');
+ }
+
+{
+    # [perl #134179] sv_upgrade from type 7 down to type 1
+    my $foo = [qr//,[]];
+    weaken($foo->[1][0][0] = $foo->[1]);
+    my $out = dclone($foo); # croaked here
+    is_deeply($out, $foo, "check they match");
+}
+-- 
+2.20.1
+
--- a/SOURCES/Storable-3.16-Storable-make-count-large-enough.patch
+++ b/SOURCES/Storable-3.16-Storable-make-count-large-enough.patch
@ -0,0 +1,53 @@
+From f7724052d1b8b75339f5ec2cc3d5b35ca5d130b5 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Wed, 7 Aug 2019 11:13:53 +1000
+Subject: [PATCH] Storable: make count large enough
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+AvARRAY() could be very large, and we check for that at line 3807,
+but int was (potentially) too small to make that comparison
+meaningful.
+
+CID 174681.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ dist/Storable/Storable.xs | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
+index 6a45d8adf2..d75125b839 100644
+--- a/dist/Storable/Storable.xs
+++ b/dist/Storable/Storable.xs
+@@ -3662,7 +3662,7 @@ static int store_hook(
+     SV *ref;
+     AV *av;
+     SV **ary;
+-    int count;			/* really len3 + 1 */
+    IV count;			/* really len3 + 1 */
+     unsigned char flags;
+     char *pv;
+     int i;
+@@ -3752,7 +3752,7 @@ static int store_hook(
+     SvREFCNT_dec(ref);			/* Reclaim temporary reference */
+ 
+     count = AvFILLp(av) + 1;
+-    TRACEME(("store_hook, array holds %d items", count));
+    TRACEME(("store_hook, array holds %" IVdf " items", count));
+ 
+     /*
+      * If they return an empty list, it means they wish to ignore the
+@@ -3986,7 +3986,7 @@ static int store_hook(
+      */
+ 
+     TRACEME(("SX_HOOK (recursed=%d) flags=0x%x "
+-             "class=%" IVdf " len=%" IVdf " len2=%" IVdf " len3=%d",
+             "class=%" IVdf " len=%" IVdf " len2=%" IVdf " len3=%" IVdf,
+              recursed, flags, (IV)classnum, (IV)len, (IV)len2, count-1));
+ 
+     /* SX_HOOK <flags> [<extra>] */
+-- 
+2.20.1
+
--- a/SOURCES/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch
+++ b/SOURCES/perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch
@ -0,0 +1,67 @@
+From ea1e86cfdf26a330e58ea377a80273de7110011b Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Wed, 21 Aug 2019 11:37:58 +1000
+Subject: [PATCH] disallow vstring magic strings over 2GB-1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+On reads this could result in buffer overflows, so avoid writing
+such large vstrings to avoid causing problems for older Storable.
+
+Since we no longer write such large vstrings, we don't want to accept
+them.
+
+I doubt that restricting versions strings to under 2GB-1 will have
+a practical effect on downstream users.
+
+fixes #17306
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ dist/Storable/Storable.xs | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
+index c2335680ab..d27ac58012 100644
+--- a/dist/Storable/Storable.xs
+++ b/dist/Storable/Storable.xs
+@@ -2628,6 +2628,12 @@ static int store_scalar(pTHX_ stcxt_t *cxt, SV *sv)
+             /* The macro passes this by address, not value, and a lot of
+                called code assumes that it's 32 bits without checking.  */
+             const SSize_t len = mg->mg_len;
+            /* we no longer accept vstrings over I32_SIZE-1, so don't emit
+               them, also, older Storables handle them badly.
+            */
+            if (len >= I32_MAX) {
+                CROAK(("vstring too large to freeze"));
+            }
+             STORE_PV_LEN((const char *)mg->mg_ptr,
+                          len, SX_VSTRING, SX_LVSTRING);
+         }
+@@ -5937,12 +5943,19 @@ static SV *retrieve_lvstring(pTHX_ stcxt_t *cxt, const char *cname)
+ {
+ #ifdef SvVOK
+     char *s;
+-    I32 len;
+    U32 len;
+     SV *sv;
+ 
+     RLEN(len);
+-    TRACEME(("retrieve_lvstring (#%d), len = %" IVdf,
+-             (int)cxt->tagnum, (IV)len));
+    TRACEME(("retrieve_lvstring (#%d), len = %" UVuf,
+             (int)cxt->tagnum, (UV)len));
+
+    /* Since we'll no longer produce such large vstrings, reject them
+       here too.
+    */
+    if (len >= I32_MAX) {
+        CROAK(("vstring too large to fetch"));
+    }
+ 
+     New(10003, s, len+1, char);
+     SAFEPVREAD(s, len, s);
+-- 
+2.21.0
+
--- a/SPECS/perl-Storable.spec
+++ b/SPECS/perl-Storable.spec
@ -0,0 +1,225 @@
+Name:           perl-Storable
+Epoch:          1
+Version:        3.15
+Release:        442%{?dist}
+Summary:        Persistence for Perl data structures
+# __Storable__.pm:  GPL+ or Artistic
+License:        GPL+ or Artistic
+URL:            https://metacpan.org/release/Storable
+Source0:        https://cpan.metacpan.org/authors/id/X/XS/XSAWYERX/Storable-%{version}.tar.gz
+# Fix deep cloning regular expression objects, RT#134179,
+# in Perl upstream after 5.31.0
+Patch0:         Storable-3.15-perl-134179-include-regexps-in-the-seen-objects-tabl.patch
+# Fix array length check in a store hook, in Perl upstream after 5.31.2
+Patch1:         Storable-3.16-Storable-make-count-large-enough.patch
+# Fix a buffer overflow when processing a vstring longer than 2^31-1,
+# Perl GH#17306, in perl upstream after 5.31.6
+Patch2:         perl-5.31.6-disallow-vstring-magic-strings-over-2GB-1.patch
+BuildRequires:  gcc
+BuildRequires:  make
+BuildRequires:  perl-devel
+BuildRequires:  perl-generators
+BuildRequires:  perl-interpreter
+BuildRequires:  perl(Config)
+BuildRequires:  perl(Cwd)
+BuildRequires:  perl(ExtUtils::MakeMaker) >= 6.76
+BuildRequires:  perl(File::Copy)
+BuildRequires:  perl(File::Spec) >= 0.8
+BuildRequires:  perl(strict)
+BuildRequires:  perl(warnings)
+# Win32 not used on Linux
+# Win32API::File not used on Linux
+# Run-time:
+BuildRequires:  perl(Carp)
+BuildRequires:  perl(Exporter)
+# Fcntl is optional, but locking is good
+BuildRequires:  perl(Fcntl)
+BuildRequires:  perl(IO::File)
+# Log::Agent is optional
+BuildRequires:  perl(XSLoader)
+# Tests:
+BuildRequires:  perl(base)
+BuildRequires:  perl(bytes)
+BuildRequires:  perl(File::Temp)
+BuildRequires:  perl(integer)
+BuildRequires:  perl(overload)
+BuildRequires:  perl(utf8)
+BuildRequires:  perl(Test::More)
+BuildRequires:  perl(threads)
+BuildRequires:  perl(Safe)
+BuildRequires:  perl(Scalar::Util)
+BuildRequires:  perl(Tie::Array)
+# Optional tests:
+# gzip not used
+# Data::Dump not used
+# Data::Dumper not used
+BuildRequires:  perl(B::Deparse) >= 0.61
+BuildRequires:  perl(Digest::MD5)
+BuildRequires:  perl(Hash::Util)
+# Test::LeakTrace omitted because it's not a core module requried for building
+# core Storable.
+BuildRequires:  perl(Tie::Hash)
+Requires:       perl(:MODULE_COMPAT_%(eval "`perl -V:version`"; echo $version))
+Requires:       perl(Config)
+# Fcntl is optional, but locking is good
+Requires:       perl(Fcntl)
+Requires:       perl(IO::File)
+
+%{?perl_default_filter}
+
+%description
+The Storable package brings persistence to your Perl data structures
+containing scalar, array, hash or reference objects, i.e. anything that
+can be conveniently stored to disk and retrieved at a later time.
+
+%prep
+%setup -q -n Storable-%{version}
+%patch0 -p3
+%patch1 -p3
+%patch2 -p3
+
+%build
+perl Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1 OPTIMIZE="$RPM_OPT_FLAGS"
+%{make_build}
+
+%install
+%{make_install}
+find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -delete
+find $RPM_BUILD_ROOT -type f -name '*.3pm' -size 0 -delete
+%{_fixperms} $RPM_BUILD_ROOT/*
+
+%check
+unset PERL_CORE PERL_TEST_MEMORY PERL_RUN_SLOW_TESTS
+make test
+
+%files
+%doc ChangeLog README
+%{perl_vendorarch}/auto/*
+%{perl_vendorarch}/Storable*
+%{_mandir}/man3/*
+
+%changelog
+* Mon Nov 25 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-442
+- Fix a buffer overflow when processing a vstring longer than 2^31-1
+  (Perl GH#17306)
+
+* Thu Aug 08 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-441
+- Fix array length check in a store hook
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.15-440
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Jun 11 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-439
+- Fix deep cloning regular expression objects (RT#134179)
+
+* Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:3.15-438
+- Increase release to favour standalone package
+
+* Wed Apr 24 2019 Petr Pisar <ppisar@redhat.com> - 1:3.15-1
+- 3.15 bump
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.11-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 07 2019 Petr Pisar <ppisar@redhat.com> - 1:3.11-6
+- Storable-3.11 source archive repackaged without a t/CVE-2015-1592.inc file
+  (RT#133706)
+
+* Mon Aug 27 2018 Petr Pisar <ppisar@redhat.com> - 1:3.11-5
+- Fix recursion check (RT#133326)
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.11-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jun 26 2018 Jitka Plesnikova <jplesnik@redhat.com> - 1:3.11-3
+- Perl 5.28 rebuild
+
+* Tue Jun 05 2018 Petr Pisar <ppisar@redhat.com> - 1:3.11-2
+- Do not package empty Storable::Limit(3pm) manual page
+
+* Mon Apr 30 2018 Petr Pisar <ppisar@redhat.com> - 1:3.11-1
+- 3.11 bump
+
+* Mon Apr 23 2018 Petr Pisar <ppisar@redhat.com> - 1:3.09-1
+- 3.09 bump
+
+* Thu Apr 19 2018 Petr Pisar <ppisar@redhat.com> - 1:3.06-1
+- 3.06 bump
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.62-396
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.62-395
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.62-394
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sat Jun 03 2017 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.62-393
+- Perl 5.26 rebuild
+
+* Thu May 11 2017 Petr Pisar <ppisar@redhat.com> - 1:2.62-1
+- Upgrade to 2.62 as provided in perl-5.25.12
+
+* Mon Feb 06 2017 Petr Pisar <ppisar@redhat.com> - 1:2.56-368
+- Fix a stack buffer overflow in deserialization of hooks (RT#130635)
+- Fix a memory leak of a class name from retrieve_hook() on an exception
+  (RT#130635)
+
+* Tue Dec 20 2016 Petr Pisar <ppisar@redhat.com> - 1:2.56-367
+- Fix crash in Storable when deserializing malformed code reference
+  (RT#68348, RT#130098)
+
+* Wed Aug 03 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.56-366
+- Avoid loading optional modules from default . (CVE-2016-1238)
+
+* Sat May 14 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.56-365
+- Increase release to favour standalone package
+
+* Wed May 11 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.56-1
+- 2.56 bump in order to dual-live with perl 5.24
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.53-347
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:2.53-346
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Thu Jun 04 2015 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.53-345
+- Increase release to favour standalone package
+
+* Wed Jun 03 2015 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.53-2
+- Perl 5.22 rebuild
+
+* Wed May 06 2015 Petr Pisar <ppisar@redhat.com> - 1:2.53-1
+- 2.53 bump in order to dual-live with perl 5.22
+
+* Wed Sep 03 2014 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.51-4
+- Increase Epoch to favour standalone package
+
+* Tue Aug 26 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.51-3
+- Perl 5.20 rebuild
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.51-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Mon Jul 07 2014 Petr Pisar <ppisar@redhat.com> - 2.51-1
+- 2.51 bump
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.45-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.45-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Jul 15 2013 Petr Pisar <ppisar@redhat.com> - 2.45-1
+- 2.45 bump
+
+* Fri Jul 12 2013 Petr Pisar <ppisar@redhat.com> - 2.39-3
+- Link minimal build-root packages against libperl.so explicitly
+
+* Tue Jun 11 2013 Petr Pisar <ppisar@redhat.com> - 2.39-2
+- Do not export private libraries
+
+* Fri May 24 2013 Petr Pisar <ppisar@redhat.com> 2.39-1
+- Specfile autogenerated by cpanspec 1.78.
				`@ -0,0 +1 @@`
				`dfd5ef17f9cdca7c246a90cbde7948e4c0168670 SOURCES/Storable-3.15.tar.gz`