gnu: perl: Update to 5.24.0.

* gnu/packages/perl.scm: Update to 5.24.0.
[source]: Add and remove patches.
* gnu/packages/patches/perl-reproducible-build-date.patch: New file.
* gnu/packages/patches/perl-CVE-2015-8607.patch,
gnu/packages/patches/perl-CVE-2016-2381.patch,
gnu/packages/patches/perl-no-build-time.patch,
gnu/packages/patches/perl-source-date-epoch.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Add and remove patches.
This commit is contained in:
Leo Famulari 2016-08-16 17:58:09 -04:00
parent 9bb1826651
commit a3d6e1f432
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
7 changed files with 21 additions and 239 deletions

View file

@ -695,8 +695,6 @@ dist_patch_DATA = \
%D%/packages/patches/patch-hurd-path-max.patch \ %D%/packages/patches/patch-hurd-path-max.patch \
%D%/packages/patches/pcre-CVE-2016-3191.patch \ %D%/packages/patches/pcre-CVE-2016-3191.patch \
%D%/packages/patches/pcre2-CVE-2016-3191.patch \ %D%/packages/patches/pcre2-CVE-2016-3191.patch \
%D%/packages/patches/perl-CVE-2015-8607.patch \
%D%/packages/patches/perl-CVE-2016-2381.patch \
%D%/packages/patches/perl-autosplit-default-time.patch \ %D%/packages/patches/perl-autosplit-default-time.patch \
%D%/packages/patches/perl-deterministic-ordering.patch \ %D%/packages/patches/perl-deterministic-ordering.patch \
%D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \ %D%/packages/patches/perl-finance-quote-unuse-mozilla-ca.patch \
@ -705,10 +703,9 @@ dist_patch_DATA = \
%D%/packages/patches/perl-net-amazon-s3-moose-warning.patch \ %D%/packages/patches/perl-net-amazon-s3-moose-warning.patch \
%D%/packages/patches/perl-net-ssleay-disable-ede-test.patch \ %D%/packages/patches/perl-net-ssleay-disable-ede-test.patch \
%D%/packages/patches/perl-net-dns-resolver-programmable-Fix-broken-interface.patch \ %D%/packages/patches/perl-net-dns-resolver-programmable-Fix-broken-interface.patch \
%D%/packages/patches/perl-no-build-time.patch \
%D%/packages/patches/perl-no-sys-dirs.patch \ %D%/packages/patches/perl-no-sys-dirs.patch \
%D%/packages/patches/perl-module-pluggable-search.patch \ %D%/packages/patches/perl-module-pluggable-search.patch \
%D%/packages/patches/perl-source-date-epoch.patch \ %D%/packages/patches/perl-reproducible-build-date.patch \
%D%/packages/patches/pidgin-add-search-path.patch \ %D%/packages/patches/pidgin-add-search-path.patch \
%D%/packages/patches/pinball-const-fix.patch \ %D%/packages/patches/pinball-const-fix.patch \
%D%/packages/patches/pinball-cstddef.patch \ %D%/packages/patches/pinball-cstddef.patch \

View file

@ -1,68 +0,0 @@
From 3a629609084d147838368262171b923f0770e564 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Tue, 15 Dec 2015 10:56:54 +1100
Subject: ensure File::Spec::canonpath() preserves taint
Previously the unix specific XS implementation of canonpath() would
return an untainted path when supplied a tainted path.
For the empty string case, newSVpvs() already sets taint as needed on
its result.
This issue was assigned CVE-2015-8607.
Bug: https://rt.perl.org/Ticket/Display.html?id=126862
Bug-Debian: https://bugs.debian.org/810719
Origin: upstream
Patch-Name: fixes/CVE-2015-8607_file_spec_taint_fix.diff
---
dist/PathTools/Cwd.xs | 1 +
dist/PathTools/t/taint.t | 19 ++++++++++++++++++-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs
index 9d4dcf0..3d018dc 100644
--- a/dist/PathTools/Cwd.xs
+++ b/dist/PathTools/Cwd.xs
@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path)
*o = 0;
SvPOK_on(retval);
SvCUR_set(retval, o - SvPVX(retval));
+ SvTAINT(retval);
return retval;
}
diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t
index 309b3e5..48f8c5b 100644
--- a/dist/PathTools/t/taint.t
+++ b/dist/PathTools/t/taint.t
@@ -12,7 +12,7 @@ use Test::More;
BEGIN {
plan(
${^TAINT}
- ? (tests => 17)
+ ? (tests => 21)
: (skip_all => "A perl without taint support")
);
}
@@ -34,3 +34,20 @@ foreach my $func (@Functions) {
# Previous versions of Cwd tainted $^O
is !tainted($^O), 1, "\$^O should not be tainted";
+
+{
+ # [perl #126862] canonpath() loses taint
+ my $tainted = substr($ENV{PATH}, 0, 0);
+ # yes, getcwd()'s result should be tainted, and is tested above
+ # but be sure
+ ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)),
+ "canonpath() keeps taint on non-empty string";
+ ok tainted(File::Spec->canonpath($tainted)),
+ "canonpath() keeps taint on empty string";
+
+ (Cwd::getcwd() =~ /^(.*)/);
+ my $untainted = $1;
+ ok !tainted($untainted), "make sure our untainted value is untainted";
+ ok !tainted(File::Spec->canonpath($untainted)),
+ "canonpath() doesn't add taint to untainted string";
+}

View file

@ -1,116 +0,0 @@
Fix CVE-2016-2381 (ambiguous handling of duplicated environment variables).
Copied from upstream:
http://perl5.git.perl.org/perl.git/commit/ae37b791a73a9e78dedb89fb2429d2628cf58076
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
http://www.nntp.perl.org/group/perl.perl5.porters/2016/03/msg234747.html
https://security-tracker.debian.org/tracker/CVE-2016-2381
---
From 1237ea93fb2475a5ae576d5ee1358a5bb4ebe426 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 27 Jan 2016 11:52:15 +1100
Subject: remove duplicate environment variables from environ
If we see duplicate environment variables while iterating over
environ[]:
a) make sure we use the same value in %ENV that getenv() returns.
Previously on a duplicate, %ENV would have the last entry for the name
from environ[], but a typical getenv() would return the first entry.
Rather than assuming all getenv() implementations return the first entry
explicitly call getenv() to ensure they agree.
b) remove duplicate entries from environ
Previously if there was a duplicate definition for a name in environ[]
setting that name in %ENV could result in an unsafe value being passed
to a child process, so ensure environ[] has no duplicates.
Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff
---
perl.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 49 insertions(+), 2 deletions(-)
diff --git a/perl.c b/perl.c
index 67d32ce..26aeb91 100644
--- a/perl.c
+++ b/perl.c
@@ -4277,23 +4277,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env)
}
if (env) {
char *s, *old_var;
+ STRLEN nlen;
SV *sv;
+ HV *dups = newHV();
+
for (; *env; env++) {
old_var = *env;
if (!(s = strchr(old_var,'=')) || s == old_var)
continue;
+ nlen = s - old_var;
#if defined(MSDOS) && !defined(DJGPP)
*s = '\0';
(void)strupr(old_var);
*s = '=';
#endif
- sv = newSVpv(s+1, 0);
- (void)hv_store(hv, old_var, s - old_var, sv, 0);
+ if (hv_exists(hv, old_var, nlen)) {
+ const char *name = savepvn(old_var, nlen);
+
+ /* make sure we use the same value as getenv(), otherwise code that
+ uses getenv() (like setlocale()) might see a different value to %ENV
+ */
+ sv = newSVpv(PerlEnv_getenv(name), 0);
+
+ /* keep a count of the dups of this name so we can de-dup environ later */
+ if (hv_exists(dups, name, nlen))
+ ++SvIVX(*hv_fetch(dups, name, nlen, 0));
+ else
+ (void)hv_store(dups, name, nlen, newSViv(1), 0);
+
+ Safefree(name);
+ }
+ else {
+ sv = newSVpv(s+1, 0);
+ }
+ (void)hv_store(hv, old_var, nlen, sv, 0);
if (env_is_not_environ)
mg_set(sv);
}
+ if (HvKEYS(dups)) {
+ /* environ has some duplicate definitions, remove them */
+ HE *entry;
+ hv_iterinit(dups);
+ while ((entry = hv_iternext_flags(dups, 0))) {
+ STRLEN nlen;
+ const char *name = HePV(entry, nlen);
+ IV count = SvIV(HeVAL(entry));
+ IV i;
+ SV **valp = hv_fetch(hv, name, nlen, 0);
+
+ assert(valp);
+
+ /* try to remove any duplicate names, depending on the
+ * implementation used in my_setenv() the iteration might
+ * not be necessary, but let's be safe.
+ */
+ for (i = 0; i < count; ++i)
+ my_setenv(name, 0);
+
+ /* and set it back to the value we set $ENV{name} to */
+ my_setenv(name, SvPV_nolen(*valp));
+ }
+ }
+ SvREFCNT_dec_NN(dups);
}
#endif /* USE_ENVIRON_ARRAY */
#endif /* !PERL_MICRO */

View file

@ -1,26 +0,0 @@
Do not record the configuration and build time so that builds can be
reproduced bit-for-bit.
--- perl-5.22.0/Configure 1970-01-01 01:00:00.000000000 +0100
+++ perl-5.22.0/Configure 2015-12-13 00:14:43.148165080 +0100
@@ -3834,6 +3817,7 @@ esac
: who configured the system
cf_time=`LC_ALL=C; LANGUAGE=C; export LC_ALL; export LANGUAGE; $date 2>&1`
+cf_time='Thu Jan 1 00:00:01 UTC 1970'
case "$cf_by" in
"")
cf_by=`(logname) 2>/dev/null`
--- perl-5.22.0/perl.c 2015-12-13 00:25:30.269156627 +0100
+++ perl-5.22.0/perl.c 2015-12-13 00:25:38.265218175 +0100
@@ -1795,7 +1795,7 @@ S_Internals_V(pTHX_ CV *cv)
PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options,
sizeof(non_bincompat_options) - 1, SVs_TEMP));
-#ifdef __DATE__
+#if 0
# ifdef __TIME__
PUSHs(Perl_newSVpvn_flags(aTHX_
STR_WITH_LEN("Compiled at " __DATE__ " " __TIME__),

View file

@ -0,0 +1,17 @@
Don't encode the current timestamp.
This affects the output of `perl -V`, specifically the message "Compiled
at [...]".
diff --git a/perl.c b/perl.c
index 228a0d8..ed38313 100644
--- a/perl.c
+++ b/perl.c
@@ -1825,6 +1825,7 @@ S_Internals_V(pTHX_ CV *cv)
PUSHs(Perl_newSVpvn_flags(aTHX_ non_bincompat_options,
sizeof(non_bincompat_options) - 1, SVs_TEMP));
+#define PERL_BUILD_DATE "Jan 1 1970 00:00:00"
#ifndef PERL_BUILD_DATE
# ifdef __DATE__
# ifdef __TIME__

View file

@ -1,19 +0,0 @@
Adapted from <https://bugs.debian.org/801621>.
Make Pod::Man honor the SOURCE_DATE_EPOCH environment variable.
--- perl-5.22.0/cpan/podlators/lib/Pod/Man.pm 2015-12-12 22:33:03.321787590 +0100
+++ perl-5.22.0/cpan/podlators/lib/Pod/Man.pm 2015-12-12 22:36:33.367361338 +0100
@@ -884,7 +884,12 @@ sub devise_date {
my ($self) = @_;
my $input = $self->source_filename;
my $time;
- if ($input) {
+
+ if (defined($ENV{SOURCE_DATE_EPOCH}) &&
+ $ENV{SOURCE_DATE_EPOCH} !~ /\D/) {
+ $time = $ENV{SOURCE_DATE_EPOCH};
+ }
+ elsif ($input) {
$time = (stat $input)[9] || time;
} else {
$time = time;

View file

@ -44,22 +44,19 @@ (define-public perl
;; Yeah, Perl... It is required early in the bootstrap process by Linux. ;; Yeah, Perl... It is required early in the bootstrap process by Linux.
(package (package
(name "perl") (name "perl")
(version "5.22.1") (version "5.24.0")
(source (origin (source (origin
(method url-fetch) (method url-fetch)
(uri (string-append "http://www.cpan.org/src/5.0/perl-" (uri (string-append "http://www.cpan.org/src/5.0/perl-"
version ".tar.gz")) version ".tar.gz"))
(sha256 (sha256
(base32 (base32
"09wg24w5syyafyv87l6z8pxwz4bjgcdj996bx5844k6m9445sirb")) "00jj8zr8fnihrxxhl8h936ssczv5x86qb618yz1ig40d1rp0qhvy"))
(patches (search-patches (patches (search-patches
"perl-no-sys-dirs.patch" "perl-no-sys-dirs.patch"
"perl-autosplit-default-time.patch" "perl-autosplit-default-time.patch"
"perl-source-date-epoch.patch"
"perl-deterministic-ordering.patch" "perl-deterministic-ordering.patch"
"perl-no-build-time.patch" "perl-reproducible-build-date.patch"))))
"perl-CVE-2015-8607.patch"
"perl-CVE-2016-2381.patch"))))
(build-system gnu-build-system) (build-system gnu-build-system)
(arguments (arguments
'(#:tests? #f '(#:tests? #f