summaryrefslogtreecommitdiff
path: root/core
diff options
context:
space:
mode:
authorroot <root@rshg054.dnsready.net>2012-01-20 23:14:48 +0000
committerroot <root@rshg054.dnsready.net>2012-01-20 23:14:48 +0000
commita1922d0ec660fdc1892f2783515f781c090df0a9 (patch)
tree6d38a09231ff439c051261d41bfa066870e1fccb /core
parenteefecc8813e0c062a2058b33209cb30830f824b6 (diff)
Fri Jan 20 23:14:48 UTC 2012
Diffstat (limited to 'core')
-rw-r--r--core/openssl/PKGBUILD8
-rw-r--r--core/perl/PKGBUILD8
-rw-r--r--core/perl/digest_eval_hole.diff61
3 files changed, 71 insertions, 6 deletions
diff --git a/core/openssl/PKGBUILD b/core/openssl/PKGBUILD
index 0b570aa92..c622f21c6 100644
--- a/core/openssl/PKGBUILD
+++ b/core/openssl/PKGBUILD
@@ -1,8 +1,8 @@
-# $Id: PKGBUILD 146071 2012-01-05 04:59:04Z pierre $
+# $Id: PKGBUILD 146957 2012-01-19 17:48:26Z pierre $
# Maintainer: Pierre Schmitz <pierre@archlinux.de>
pkgname=openssl
-_ver=1.0.0f
+_ver=1.0.0g
# use a pacman compatible version scheme
pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
pkgrel=1
@@ -19,8 +19,8 @@ source=("https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz"
'fix-manpages.patch'
'no-rpath.patch'
'ca-dir.patch')
-md5sums=('e358705fb4a8827b5e9224a73f442025'
- 'fc1673f53946f1e7b408465f272484d8'
+md5sums=('07ecbe4324f140d157478637d6beccf1'
+ '34315cf0fbbd1d18435948eb9712fcdf'
'5bbc0655bda2af95bc8eb568963ce8ba'
'dc78d3d06baffc16217519242ce92478'
'3bf51be3a1bbd262be46dc619f92aa90')
diff --git a/core/perl/PKGBUILD b/core/perl/PKGBUILD
index de6e057b6..9fc4a5700 100644
--- a/core/perl/PKGBUILD
+++ b/core/perl/PKGBUILD
@@ -1,11 +1,11 @@
-# $Id: PKGBUILD 146455 2012-01-11 15:21:16Z stephane $
+# $Id: PKGBUILD 146927 2012-01-19 10:01:03Z bluewind $
# Maintainer: Angel Velasquez <angvp@archlinux.org>
# Contributor: kevin <kevin.archlinux.org>
# Contributor: judd <jvinet.zeroflux.org>
# Contributor: francois <francois.archlinux.org>
pkgname=perl
pkgver=5.14.2
-pkgrel=6
+pkgrel=7
pkgdesc="A highly capable, feature-rich programming language"
arch=(i686 x86_64)
license=('GPL' 'PerlArtistic')
@@ -17,6 +17,7 @@ source=(http://www.cpan.org/src/5.0/perl-${pkgver}.tar.bz2
perlbin.sh
perlbin.csh
provides.pl
+digest_eval_hole.diff
0001-Append-CFLAGS-and-LDFLAGS-to-their-Config.pm-counter.patch)
install=perl.install
options=('makeflags' '!purge')
@@ -24,6 +25,7 @@ md5sums=('04a4c5d3c1f9f19d77daff8e8cd19a26'
'5ed2542fdb9a60682f215bd33701e61a'
'1f0cbbee783e8a6d32f01be5118e0d5e'
'31fc0b5bb4935414394c5cfbec2cb8e5'
+ '490852b3d77c3b3866d0d75f5fbf5c5d'
'c25d86206d649046538c3daab7874564')
build() {
@@ -37,6 +39,8 @@ build() {
arch_opts=""
fi
+ patch -Np1 -i $srcdir/digest_eval_hole.diff
+
./Configure -des -Dusethreads -Duseshrplib -Doptimize="${CFLAGS}" \
-Dprefix=/usr -Dinstallprefix=${pkgdir}/usr -Dvendorprefix=/usr \
-Dprivlib=/usr/share/perl5/core_perl \
diff --git a/core/perl/digest_eval_hole.diff b/core/perl/digest_eval_hole.diff
new file mode 100644
index 000000000..47904137b
--- /dev/null
+++ b/core/perl/digest_eval_hole.diff
@@ -0,0 +1,61 @@
+From 4b6a7324284e7435a361c58f7ddb32fc0c635bd0 Mon Sep 17 00:00:00 2001
+From: "Michael G. Schwern" <schwern@pobox.com>
+Date: Mon, 3 Oct 2011 19:05:29 +0100
+Subject: Close the eval "require $module" security hole in
+ Digest->new($algorithm)
+
+Also the filter was incomplete.
+
+Bug-Debian: http://bugs.debian.org/644108
+
+Patch-Name: fixes/digest_eval_hole.diff
+---
+ cpan/Digest/Digest.pm | 6 ++++--
+ cpan/Digest/t/security.t | 14 ++++++++++++++
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+ create mode 100644 cpan/Digest/t/security.t
+
+diff --git a/cpan/Digest/Digest.pm b/cpan/Digest/Digest.pm
+index 384dfc8..d714434 100644
+--- a/cpan/Digest/Digest.pm
++++ b/cpan/Digest/Digest.pm
+@@ -24,7 +24,7 @@ sub new
+ shift; # class ignored
+ my $algorithm = shift;
+ my $impl = $MMAP{$algorithm} || do {
+- $algorithm =~ s/\W+//;
++ $algorithm =~ s/\W+//g;
+ "Digest::$algorithm";
+ };
+ $impl = [$impl] unless ref($impl);
+@@ -35,7 +35,9 @@ sub new
+ ($class, @args) = @$class if ref($class);
+ no strict 'refs';
+ unless (exists ${"$class\::"}{"VERSION"}) {
+- eval "require $class";
++ my $pm_file = $class . ".pm";
++ $pm_file =~ s{::}{/}g;
++ eval { require $pm_file };
+ if ($@) {
+ $err ||= $@;
+ next;
+diff --git a/cpan/Digest/t/security.t b/cpan/Digest/t/security.t
+new file mode 100644
+index 0000000..5cba122
+--- /dev/null
++++ b/cpan/Digest/t/security.t
+@@ -0,0 +1,14 @@
++#!/usr/bin/env perl
++
++# Digest->new() had an exploitable eval
++
++use strict;
++use warnings;
++
++use Test::More tests => 1;
++
++use Digest;
++
++$LOL::PWNED = 0;
++eval { Digest->new(q[MD;5;$LOL::PWNED = 42]) };
++is $LOL::PWNED, 0;