Hello community, here is the log from the commit of package perl for openSUSE:Factory checked in at Sat Jan 15 02:24:17 CET 2011. -------- --- perl/perl.changes 2010-11-30 11:23:21.000000000 +0100 +++ perl/perl.changes 2011-01-14 18:32:00.000000000 +0100 @@ -1,0 +2,9 @@ +Fri Jan 14 18:04:16 CET 2011 - mls@suse.de + +- update to perl-5.12.3-RC1 + * bug fix only release + * lvalue sub return values are now COW +- fix CGI injection bugs, CVE-2010-2761, CVE-2010-4410, + CVE-2010-4411 [bnc#657343] + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- perl-5.12.2.dif perl-5.12.2.tar.bz2 New: ---- perl-5.12.3-RC1.tar.bz2 perl-5.12.3.dif perl-cgi-injection.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl.spec ++++++ --- /var/tmp/diff_new_pack.UpcHFs/_old 2011-01-15 02:18:22.000000000 +0100 +++ /var/tmp/diff_new_pack.UpcHFs/_new 2011-01-15 02:18:22.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package perl (Version 5.12.2) +# spec file for package perl # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,14 +20,14 @@ Name: perl Summary: The Perl interpreter -Version: 5.12.2 -Release: 4 -%define pversion 5.12.2 +Version: 5.12.3 +Release: 1 +%define pversion 5.12.3 License: Artistic License .. ; GPLv2+ Group: Development/Languages/Perl AutoReqProv: on Url: http://www.perl.org/ -Source: perl-5.12.2.tar.bz2 +Source: perl-5.12.3-RC1.tar.bz2 Source1: %name-rpmlintrc Source2: macros.perl Source3: README.macros @@ -42,6 +42,7 @@ Patch8: perl-constprint.diff Patch9: perl-h2ph.diff Patch10: perl-HiRes.t-timeout.diff +Patch11: perl-cgi-injection.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: perl-base = %version #PreReq: %fillup_prereq @@ -126,7 +127,7 @@ Perl man pages and pod files. %prep -%setup -q -n perl-5.12.2 +%setup -q -n perl-5.12.3-RC1 cp -p %{S:3} . %patch0 %patch1 @@ -140,6 +141,7 @@ %patch8 %patch9 %patch10 -p1 +%patch11 %build cp -a lib savelib ++++++ perl-5.12.2.dif -> perl-5.12.3.dif ++++++ ++++++ perl-cgi-injection.diff ++++++ --- ./cpan/CGI/lib/CGI.pm.orig 2010-05-07 13:34:10.000000000 +0000 +++ ./cpan/CGI/lib/CGI.pm 2011-01-12 11:35:33.000000000 +0000 @@ -1457,7 +1457,13 @@ END_OF_FUNC sub multipart_init { my($self,@p) = self_or_default(@_); my($boundary,@other) = rearrange_header([BOUNDARY],@p); - $boundary = $boundary || '------- =_aaaaaaaaaa0'; + if (!$boundary) { + $boundary = '------- =_'; + my @chrs = ('0'..'9', 'A'..'Z', 'a'..'z'); + for (1..17) { + $boundary .= $chrs[rand(scalar @chrs)]; + } + } $self->{'separator'} = "$CRLF--$boundary$CRLF"; $self->{'final_separator'} = "$CRLF--$boundary--$CRLF"; $type = SERVER_PUSH($boundary); @@ -1545,10 +1551,17 @@ sub header { # CR escaping for values, per RFC 822 for my $header ($type,$status,$cookie,$target,$expires,$nph,$charset,$attachment,$p3p,@other) { if (defined $header) { - $header =~ s/ - (?<=\n) # For any character proceeded by a newline - (?=\S) # ... that is not whitespace - / /xg; # ... inject a leading space in the new line + # From RFC 822: + # Unfolding is accomplished by regarding CRLF immediately + # followed by a LWSP-char as equivalent to the LWSP-char. + $header =~ s/$CRLF(\s)/$1/g; + + # All other uses of newlines are invalid input. + if ($header =~ m/$CRLF|\015|\012/) { + # shorten very long values in the diagnostic + $header = substr($header,0,72).'...' if (length $header > 72); + die "Invalid header value contains a newline not followed by whitespace: $header"; + } } } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org