Bug 152845

Summary: CAN-2004-0452, CAN-2004-0976, CAN-2005-0155, CAN-2005-0156, CAN-2005-0448 multiple perl vulns
Product: [Retired] Fedora Legacy Reporter: David Lawrence <dkl>
Component: perlAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bugzilla.redhat, deisenst, jpdalbec, mattdm, mjc, pekkas, redhat-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: 1, LEGACY, rh73, rh90, 2
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-24 23:29:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 176731    
Attachments:
Description Flags
A test of CGI.pm my FC1 build of perl-5.8.3 fails (perl scripts and output) - related to perl-5.8.3-cgi.pm.patch
none
comment9.tar.gz - patches, comments (see bug 152845 comment 9)
none
Proposed updated OWL/solar tempfile patch for RH9
none
Possible revised perl-5.6.1-solartmp.patch for RHL73
none
side-by-side diff listing of RH7.3 spec files
none
Differences between build logs
none
Proposed text of Test Update Notification for this issue none

Description David Lawrence 2005-03-30 23:29:28 UTC 
http://secunia.com/advisories/12991/

Multiple vulnerabilities have been reported in Perl, which can be exploited by
malicious, local users to perform certain actions on a vulnerable system with
escalated privileges.

The vulnerabilities are caused due to various scripts creating temporary files
insecurely. This can be exploited via symlink attacks to create or overwrite
arbitrary files on the system with the privileges of the user executing a
vulnerable script.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0976

Red Hat Bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136325



------- Additional Comments From jpdalbec 2004-12-08 09:57:28 ----

Created an attachment (id=939)
RHL 7.3 backport patch




------- Additional Comments From jpdalbec 2004-12-10 08:15:50 ----

I'm rebuilding RHL 7.3 and RHL 9 RPMs outside mach because the following .spec
file excerpt assumes that you can run RPM during the build.  Any idea how to fix it?

--- cut here ---
# Generate *.ph files with a trick. Is this sick or what ?
make all -f - <<EOF
PKGS    = glibc-devel gdbm-devel gpm-devel libgr-devel libjpeg-devel \
          libpng-devel libtiff-devel ncurses-devel popt \
          zlib-devel binutils libelf e2fsprogs-devel pam pwdb \
          rpm-devel
STDH    = \$(filter %{_includedir}/include/%%, \$(shell rpm -q --queryformat
'[%%{FILENAMES}\n]' \$(PKGS)))
STDH    +=\$(wildcard %{_includedir}/linux/*.h) \$(wildcard
%{_includedir}/asm/*.h) \
          \$(wildcard %{_includedir}/scsi/*.h)
GCCDIR  = \$(shell gcc --print-file-name include)
GCCH    = \$(filter \$(GCCDIR)/%%, \$(shell rpm -q --queryformat '[%%{FILEMODES}
%%{FILENAMES}\n]' gcc | grep -v ^4 | awk '{print $NF}'))

PERLLIB = \$(RPM_BUILD_ROOT)%{_libdir}/perl5/%{perlver}
PERL    = PERL5LIB=\$(PERLLIB) \$(RPM_BUILD_ROOT)%{_bindir}/perl
PHDIR   = \$(PERLLIB)/\${RPM_ARCH}-linux*
H2PH    = \$(PERL) \$(RPM_BUILD_ROOT)%{_bindir}/h2ph -d \$(PHDIR)/

all: std-headers gcc-headers fix-config

std-headers: \$(STDH)
        cd %{_includedir} && \$(H2PH) \$(STDH:%{_includedir}/%%=%%)

gcc-headers: \$(GCCH)
        cd \$(GCCDIR) && \$(H2PH) \$(GCCH:\$(GCCDIR)/%%=%%) || true

fix-config: \$(PHDIR)/Config.pm
        \$(PERL) -i -p -e "s|\$(RPM_BUILD_ROOT)||g;" \$<

EOF
--- cut here ---

I've also added all the mentioned RPMs to the BuildRequires: list.  I deleted a
few RPM names whose RPMs don't exist, both from the extra BuildRequires: and
from the list here.  I'm sure some of the BuildRequires: are now redundant, but
I'd rather be safe than sorry.

Planned version bumps:
perl-5.6.1-36.1.73 -> perl-5.6.1-37.0.7.3.legacy
perl-5.8.0-88.3    -> perl-5.8.0-89.0.9.legacy
perl-5.8.3-16      -> perl-5.8.3-17.1.legacy



------- Additional Comments From jpdalbec 2004-12-10 12:18:11 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

New packages are available from http://www.fedoralegacy.org/contrib/perl/

sha1sums:
RHL 7.3:
33ee0cde447f192c0557d95f90cbb2ed54eeb69e  perl-5.6.1-37.0.7.3.legacy.i386.rpm
e645bcd787f2bfb98452342a210b0d041435a62f  perl-5.6.1-37.0.7.3.legacy.src.rpm
4077e3dad75ae23080b068189e9c7b94ddc276c8  
perl-CGI-2.752-37.0.7.3.legacy.i386.rpm
9d576df8ca1800fd7baf0c95bf9814b675854b61  
perl-CPAN-1.59_54-37.0.7.3.legacy.i386.rpm
5ba43b51042356310665c444e286a80f6920f4d1  
perl-DB_File-1.75-37.0.7.3.legacy.i386.rpm
b066a25b0df0e7ed95bbb2342c7ab21a261a906a  
perl-NDBM_File-1.75-37.0.7.3.legacy.i386.rpm
e6595ec74213be55c3255dfa23ae4fef66012abf  
perl-suidperl-5.6.1-37.0.7.3.legacy.i386.rpm

RHL 9:
2c0ae13ad3efff1b1c8a423e1b2cfa21373734e7  perl-5.8.0-89.0.9.legacy.i386.rpm
44c09a1cb296cc946035b148e09a2f2f1d74543f  perl-5.8.0-89.0.9.legacy.src.rpm
c441bad26a79d50deb5bebb606e4457879c91f95  perl-CGI-2.81-89.0.9.legacy.i386.rpm
4c31e80355c839307a6ce9fc7707242274c08126  perl-CPAN-1.61-89.0.9.legacy.i386.rpm
62cf086c5c7f1832f79714a3c39eeb57d1156d05  
perl-DB_File-1.804-89.0.9.legacy.i386.rpm
66c23003a3871051e60f84e63ee8c764fd712e3c  
perl-debuginfo-5.8.0-89.0.9.legacy.i386.rpm
ec81144c615039f7aab0c09e3fd6854463b4430d  
perl-suidperl-5.8.0-89.0.9.legacy.i386.rpm

FC 1:
5a16c0ad76ee0492bdd27a30c83aafd378726a34  perl-5.8.3-17.1.legacy.i386.rpm
a4daa91004333e59368aed2a44edf7190a0b6add  perl-5.8.3-17.1.legacy.src.rpm
37114fb6358bc40ac2855aa179df12aeebd491bf  
perl-suidperl-5.8.3-17.1.legacy.i386.rpm

I installed all the RPMs on my RHL 7.3 VMware box and rebooted.  I didn't
notice any problems.  I installed all the RPMs on my RHL 9 VMware box.  I ran
perl -V there and everything looked OK.  I also ran my obfuscated "e" printer
from http://perlmonks.org/?node_id=378928 and the output looked OK.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBuh5AJL4A+ldA7asRAsV9AKCXTq11U7utMbOic3qbw0kpNP20SgCg0a2y
zEQaQMB220Bx7OXNLAxLzx4=
=rcrb
-----END PGP SIGNATURE-----




------- Additional Comments From bugzilla.fedora.us 2005-01-10 09:33:35 ----

we should probably deal with CAN-2004-0452 while we're at it.

http://marc.free.net.ph/message/20041221.102713.5d5e603a.html
http://www.debian.org/security/2004/dsa-620



------- Additional Comments From bugzilla.fedora.us 2005-01-31 12:13:08 ----

are we affected by CAN-2005-0077 and do we want to include it in this bug?



------- Additional Comments From bugzilla.fedora.us 2005-02-02 12:18:27 ----

also, CAN-2005-0155 and CAN-2005-0156 for perl-suidperl package?



------- Additional Comments From marcdeslauriers 2005-02-10 14:07:56 ----

https://rhn.redhat.com/errata/RHSA-2005-105.html



------- Additional Comments From marcdeslauriers 2005-02-10 14:17:09 ----

https://rhn.redhat.com/errata/RHSA-2005-069.html



------- Additional Comments From pekkas 2005-02-15 07:06:37 ----

Updated the CVE summary line.  I guess we need new packages, but now there are
RHEL patches out there..



------- Additional Comments From marcdeslauriers 2005-03-05 15:30:25 ----

Hey John, the patch you backported in comment #1...there seems to be a bunch of
stuff missing from it if I compare it to the one in Red Hat's bugzilla.

For example:
--- perl-5.8.3.orig/ext/DB_File/DB_File.pm	Mon Jan 19 18:46:25 2004
+++ perl-5.8.3/ext/DB_File/DB_File.pm	Mon Jan 19 20:14:11 2004
@@ -1821,7 +1821,7 @@
     use DB_File ;
 
     my %hash ;
-    my $filename = "/tmp/filt" ;
+    my $filename = "/var/run/filt" ;
     unlink $filename ;
 
     my $db = tie %hash, 'DB_File', $filename, O_CREAT|O_RDWR, 0666, $DB_HASH 
@@ -1863,7 +1863,7 @@
     use strict ;
     use DB_File ;
     my %hash ;
-    my $filename = "/tmp/filt" ;
+    my $filename = "/var/run/filt" ;
     unlink $filename ;

What was your source? Am I missing something?



------- Additional Comments From jpdalbec 2005-03-07 03:24:51 ----

I had to strip out those hunks because they were already included in the
existing perl-5.6.1-solartmp.patch.



------- Additional Comments From marcdeslauriers 2005-03-10 16:15:56 ----

CAN-2005-0448:

Paul Szabo discovered another vulnerability in the rmtree() function
in File::Path.pm. While a process running as root (or another user)
was busy deleting a directory tree, a different user could exploit a
race condition to create setuid binaries in this directory tree,
provided that he already had write permissions in any subdirectory of
that tree.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0448




------- Additional Comments From mattdm 2005-03-20 11:19:03 ----

I can't get the perl packages to rebuild (either the new ones above, or the
originals) on RHL9. Dies with:

        Making Digest::MD5 (dynamic)
Writing Makefile for Digest::MD5
make[1]: Entering directory `/home/mattdm/rpmbuild/BUILD/perl-5.8.0/ext/Digest/MD5'
Makefile:70: *** missing separator.  Stop.
make[1]: Leaving directory `/home/mattdm/rpmbuild/BUILD/perl-5.8.0/ext/Digest/MD5'
make config failed, continuing anyway...
make[1]: Entering directory `/home/mattdm/rpmbuild/BUILD/perl-5.8.0/ext/Digest/MD5'
Makefile:70: *** missing separator.  Stop.
make[1]: Leaving directory `/home/mattdm/rpmbuild/BUILD/perl-5.8.0/ext/Digest/MD5'
make: *** [lib/auto/Digest/MD5/MD5.so] Error 2
error: Bad exit status from /home/mattdm/tmp/rpm-tmp.27511 (%build)
 
every time. Is there some sort of buildpreq I'm missing?


Meanwhile, we're seeing CAN-2005-0155/CAN-2005-0156 exploited in the wild
(there's very trivial piece of example code out there) so it'd be nice to get
this out, quickly.



------- Additional Comments From mattdm 2005-03-20 11:25:10 ----

Oh -- never mind the first part. Forgot LANG=C. But *do* mind the second part --
this is serious.



------- Additional Comments From pekkas 2005-03-20 21:16:45 ----

If someone creates the packages -- 0448 patch might be available e.g., from
Ubuntu --, I can do the publish QA..



------- Additional Comments From mattdm 2005-03-22 12:40:00 ----

I looked at the ubuntu patch for CAN-2005-0448, and it seems to actually change
the semantics of the function call in order to avoid the potential race condition.

That's a big change, and while all security problems are, y'know, problems, I
don't think we should let that one delay putting out an update that fixes
CAN-2005-0155/CAN-2005-0156.

http://packetstorm.linuxsecurity.com/0502-exploits/ex_perl.c

(The patch at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=146738
appears to be good.)



------- Additional Comments From pekkas 2005-03-22 21:36:43 ----

Luckily enough, you can just remove the perl-suidperl package.. it was split out
around RHL72 or so specifically to avoid having to install it on boxes you don't
need it on.

But I agree this is something we should fix pretty soon, with or without 0448.



------- Bug moved to this database by dkl 2005-03-30 18:29 -------

This bug previously known as bug 2261 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2261
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
RHL 7.3 backport patch
https://bugzilla.fedora.us/attachment.cgi?action=view&id=939

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity major. Setting to default severity "normal".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was fedora-legacy-bugzilla-2004.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 Marc Deslauriers 2005-04-20 23:33:21 UTC 
*** Bug 136326 has been marked as a duplicate of this bug. ***
Comment 2 Marc Deslauriers 2005-04-20 23:34:29 UTC 
We also need FC2 packages here.
Comment 3 John Dalbec 2005-07-19 14:05:37 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

New packages available from www.fedoralegacy.org/contrib/perl:

sha1sums:
28852d9a69ca496003539cb7bc0b8dfefd4e976e  
perl-5.6.1-38.0.7.3.legacy.i386.rpm
a273e8ee1cb2002a50e902b80b99717dbb8dead4  
perl-5.6.1-38.0.7.3.legacy.src.rpm
96ec8de6c683eaefd0438a690a34e6b3c9ddc632  
perl-CGI-2.752-38.0.7.3.legacy.i386.rpm
6aa4a91e5a5db3c4abeab159180fe322545774d4  
perl-CPAN-1.59_54-38.0.7.3.legacy.i386.rpm
745db16e8eed1628119486f2c23728102b54ff91  
perl-DB_File-1.75-38.0.7.3.legacy.i386.rpm
f27b852928b216b744501a98d9b66725e16a4e31  
perl-NDBM_File-1.75-38.0.7.3.legacy.i386.rpm
730278d78467815c7c7a668b66744c31f7898b3c  
perl-suidperl-5.6.1-38.0.7.3.legacy.i386.rpm
f2d8a62e9e706b9f5a9cd05e01aedb70a81baf77  
perl-5.8.0-90.0.9.legacy.i386.rpm
091966a58e7ec33f338dc1cedc361f5329850784  
perl-5.8.0-90.0.9.legacy.src.rpm
97527dc626a0697d371c96dc43bdb536659bfb7c  
perl-CGI-2.81-90.0.9.legacy.i386.rpm
40e4711a83c9a9197625dc14fd7febff3f56bb19  
perl-CPAN-1.61-90.0.9.legacy.i386.rpm
6f428af51926e0db73be0d32442831d09aeab6eb  
perl-DB_File-1.804-90.0.9.legacy.i386.rpm
36bd2d612945974fd807e9a208740bb12fd8d335  
perl-suidperl-5.8.0-90.0.9.legacy.i386.rpm
55fc6e964b174f99b55a939318def0eb2825c600  
perl-5.8.3-18.1.legacy.i386.rpm
c0c9e8b56e5a7ad86bd989072b88fa063d00be1d  perl-5.8.3-18.1.legacy.src.rpm
026db63cf7f996c2d3ed456c4dd3058ab7d29330  
perl-suidperl-5.8.3-18.1.legacy.i386.rpm

I had to modify the Gentoo patch to remove the "unless $!{ENOENT}" clause
because that was causing build failures.  The original Gentoo patch works
fine as long as your installed Perl was built on the exact Linux kernel
version you're running.  Otherwise Errno.pm errors out.

The RHL 7.3 and 9 packages are not guaranteed to build properly in Mach
because the build script assumes that "rpm -ql" works.  I haven't heard
any suggestions about how to work around this.  Should I assume that the
files in question are set in stone now and just build the lists by hand?

I installed the RHL 7.3 packages on a test box and rebooted.  I haven't
noticed any problems.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFC3QbbJL4A+ldA7asRAhw5AJ9T2LVywo2bGvUbq56x3Q7Je7jUDACguM45
JyorZMWaUnuioHHPksUozx4=
=rlNq
-----END PGP SIGNATURE-----

P. S. Which patches are needed for FC2?
Comment 4 Pekka Savola 2005-07-20 17:57:15 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AFAICS, FC2's perl-5.8.3-18 doesn't include any of these fixes,
so everything should be included there as well.

Analysis of the patches:

perl-5.6.1-CAN-2005-0448-rmtree.patch: ASCII English text -> OK, gentoo
  ==> matches
http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/CAN-2005-0448-rmtree.pat
ch
  
perl-5.6.1-CAN-2005-0077-perl-DBI-tmpfile.patch: ASCII English text 
  ==> matches RHEL3's perl-DBI's tmpfix patch.

perl-5.6.1-cgi.pm.patch
  ==> matches RHEL3's perl-5.8.0-CGI-encoded-path.patch

perl-5.6.1-CAN-2005-0155-0156-perlio.patch
  ==> matches RHEL3's perl-5.8.0-bug33990.patch

perl-5.8.0-tempfile-5.8.3-backport.patch
  ==> is pretty close but not quite equal to
      https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136325 and the gentoo
      bug.

Notes:
 - What is the source for the perl-5.6.1-tempfile-5.8.3-backport.patch ?

 - FC1 includes only solar's tmpfile patch!?!

 - FC2 has apparently been done against a previous version, not 5.8.3-18,
   as FC changes adding perl-5.8.3-empty-rpath.patch and
   perl-5.8.3-findbin-selinux.patch were lost.

 - There have been substantial amount of changes in the spec file for
   FC1 and FC2.

 - RHL73 has the perlio and cgi.pm patches commented out (???).

 - In all the versions, perl-DBI patch has been commented out (??)

 - in at least RHL73 and RHL9, there have been changes in PKGS line
   in the spec file, removing at least libgr-devel.
   Is there a reason for these changes?

 - could you tell a bit about the methodology used to construct the tempfile
backport
   for 5.6.1?

 - Note that 5.8.3 does not completely solve the tempfile issues, at least this
is what
   the remainder patch in gentoo leads to believe:
  
http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/perl-5.8.5-tempfiles.patch

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFC3pBdGHbTkzxSL7QRApziAJ9cAboAWNU7Os0ARZmheD+W3MYbjACgmxMY
YB0XhAYouRD0/d3+0tdcUmA=
=Sf4I
-----END PGP SIGNATURE-----
Comment 5 John Dalbec 2005-07-20 19:29:25 UTC 
Notes:
 - What is the source for the perl-5.6.1-tempfile-5.8.3-backport.patch ?

------- Additional Comments From marcdeslauriers 2005-03-05
15:30:25 ----

Hey John, the patch you backported in comment #1...there seems to be a bunch of
stuff missing from it if I compare it to the one in Red Hat's bugzilla.

For example:
--- perl-5.8.3.orig/ext/DB_File/DB_File.pm	Mon Jan 19 18:46:25 2004
+++ perl-5.8.3/ext/DB_File/DB_File.pm	Mon Jan 19 20:14:11 2004
@@ -1821,7 +1821,7 @@
     use DB_File ;
 
     my %hash ;
-    my $filename = "/tmp/filt" ;
+    my $filename = "/var/run/filt" ;
     unlink $filename ;
 
     my $db = tie %hash, 'DB_File', $filename, O_CREAT|O_RDWR, 0666, $DB_HASH 
@@ -1863,7 +1863,7 @@
     use strict ;
     use DB_File ;
     my %hash ;
-    my $filename = "/tmp/filt" ;
+    my $filename = "/var/run/filt" ;
     unlink $filename ;

What was your source? Am I missing something?



------- Additional Comments From jpdalbec 2005-03-07 03:24:51 ----

I had to strip out those hunks because they were already included in the
existing perl-5.6.1-solartmp.patch.


 - FC1 includes only solar's tmpfile patch!?!

Did you download the correct RPM?

 - FC2 has apparently been done against a previous version, not 5.8.3-18,
   as FC changes adding perl-5.8.3-empty-rpath.patch and
   perl-5.8.3-findbin-selinux.patch were lost.

I haven't built an FC2 RPM yet so I don't know what you mean here.

 - There have been substantial amount of changes in the spec file for
   FC1 and FC2.

Compared to RHL73 and RHL9, you mean?

 - RHL73 has the perlio and cgi.pm patches commented out (???).

I couldn't find anything resembling the affected code in perlio.c; the affected
code in CGI.pm was already commented out, prefaced by "# If anybody knows why I
ever wrote this please tell me!"

 - In all the versions, perl-DBI patch has been commented out (??)

I couldn't find DBI in the source tree.  It appears to come from a different
source RPM (perl-DBI).  Should that be a separate bug?

 - in at least RHL73 and RHL9, there have been changes in PKGS line
   in the spec file, removing at least libgr-devel.
   Is there a reason for these changes?

There is no libgr-devel package in RHL73 or RHL9.  I think I removed a couple
other packages that don't exist as well.

 - could you tell a bit about the methodology used to construct the tempfile
backport
   for 5.6.1?

1. Add original patch to .spec file.
2. rpm -bp
3. See what hunks fail to apply.
4. If a hunk is already applied, remove it from the patch.
5. If nothing in the code looks like the hunk applies to it, remove the hunk
from the patch.
6. Fix the remaining hunks.

 - Note that 5.8.3 does not completely solve the tempfile issues, at least this
is what
   the remainder patch in gentoo leads to believe:
  
http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/dev-lang/perl/files/perl-5.8.5-tempfiles.patch

I'll take a look at it.
Comment 6 John Dalbec 2005-07-21 13:57:37 UTC 
On further review of the .spec file, PKGS doesn't matter because the filter
selects only files in /usr/include/include/, which doesn't exist!  Should I fix
that?  It doesn't seem to have bothered anyone so far, and it's not a security
issue.  The (RHL 7.3) package still builds OK if I make the change.  Of course I
still need to deal with the Mach issue unless we're not using Mach for our build
system any more.
Comment 7 Pekka Savola 2005-07-21 18:04:56 UTC 
Sorry, I thought 'perl-5.8.3-18.1.legacy.src.rpm' was for FC2, and .17.1.legacy
for FC1, but I was wrong.  In any case, I think perl-5.8.3-18.1.legacy.src.rpm
needs to be renamed to be numerically smaller than FC2's package
(perl-5.8.3-18.src.rpm), e.g., perl-5.8.3-17.2.legacy.src.rpm?

With regard to the spec file changes, FC1 packages have a lot of whitespace
changes which don't seem to be necessary?

Perlio indeed doesn't seem to be needed for RHL73.  Also agree on cgi.pm. 
Perl-DBI seems to require its own patches, yes.

I'd prefer not to modify PKGS line from what has been shipped by Red Hat unless
it's required for the packages to build.

I guess I'd have to review the solartmp patch(es); the other patches look good
as is.
Comment 8 David Eisenstein 2005-09-16 20:17:56 UTC 
Created attachment 118908 [details]
A test of CGI.pm my FC1 build of perl-5.8.3 fails (perl scripts and output) - related to perl-5.8.3-cgi.pm.patch

Source QA for the Fedora Core 1 .src.rpm.

c0c9e8b56e5a7ad86bd989072b88fa063d00be1d  perl-5.8.3-18.1.legacy.src.rpm
  downloaded from www.fedoralegacy.org/contrib/perl,

Sources:
   * source rpm perl-5.8.3.tar.gz appears pristine
   * All previous patches from FC1's perl-5.8.3-16.src.rpm are the same.

Patches:
I did my comparisons with similar patches from Debian.

   * perl-5.8.3-CAN-2004-0452-rmtree.patch: is superseded by the CAN-2005-0448
     patch.  Is properly commented out in the spec file.

   * perl-5.8.3-CAN-2005-0077-perl-DBI-tmpfile.patch:  This patch does not
     belong with this .srpm package.  Instead, it should patch the 
     perl-DBI .srpm package (in FC1, perl-DBI-1.37-1.src.rpm).

   * perl-5.8.3-CAN-2005-0155-0156-perlio.patch:  Same as Debian's.  Good.

   * perl-5.8.3-CAN-2005-0448-rmtree.patch:  Looks good.  This is major sur-
     gery on lib/File/Path.pm, but this seems to be the standard fix.  Only
     a very slight difference from Deiban's patch, and ours seems fine.
     ("<" Debian's; ">" ours):

	44c44
	< @@ -166,111 +157,129 @@
	---
	> @@ -166,111 +157,133 @@
	75c75,79
	< +    my ($dev, $ino) = lstat $path or return 0;
	---
	> +    my ($dev, $ino) = lstat $path or do {
	> +	carp "Can't stat $prefix$path ($!)";# unless $!{ENOENT};
	> +	return 0;
	> +    };
	> +

   * perl-5.8.3-cgi.pm.patch:  This patch causes some problems.  When doing
     the build phase (rpmbuild -bc), during the regression tests, one of the
     tests of lib/CGI.pm fails (from my build log):
     
	lib/CGI/t/request....................FAILED at test 15
	...
	Failed 1 test script out of 821, 99.88% okay.
	### Since not all tests were successful, you may want to run some of
	### them individually and examine any diagnostic messages they
	### produce.  See the INSTALL document's section on "make test".

     The test does not fail on the CGI.pm in my present install of 
     perl-5.8.3-16.

     I created a slightly more instrumented version of request.t, and ran it
     according to the INSTALL instructions (both request.t and my_request.t
     are enclosed, along with the output of both in tests.tar.gz):

     Am attempting to investigate whether or not this patch for perl-5.8.0
     is valid for FC1's perl-5.8.3 ....  It appears that this patch was sup-
     plied by an end-user and was thrown in by Red Hat for the RHEL 3 Linux
     product (see Bug #140227), during their fix (RHSA-2005-105).  Note 
     particularly where the the end user notes, "Later issues of perl seem 
     to have this fixed."  (Bug #140227 comment 0).

     John, does this test fail on any of your compiles/builds?	Isn't the
     distro that you use RH 7.3?  Does it fail in any other builds of other
     distros?

...  to be continued ...
Comment 9 David Eisenstein 2005-09-19 20:36:16 UTC 
Created attachment 119002 [details]
comment9.tar.gz - patches, comments (see bug 152845 comment 9)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

da39e2723072e29a8e5831210f20591de1ab735c  comment9.tar.gz (attached)

    * perl-5.8.3-cgi.pm.patch (continued):  This patch is unnecessary and
      should be removed.  The bug that perl-5.8.0-CGI-encoded-path.patch
      fixes in perl-5.8.0 appears to already be fixed in existing code in
      perl-5.8.3's CGI.pm.

      This patch adds a bit of code that essentially duplicates adding
      backslashes (or "quoting") certain characters that CGI.pm's existing
      use of the internal "quotemeta" Perl function already is doing, so
      including this patch breaks the code.  For more details, see the file
      "About_perl-5.8.3-cgi.pm.patch_.txt" in the CGI.pm/ directory of the
      attached tarball.

    * perl-5.8.3-tempfile.patch -- This must the the solartmp patch, for
      CAN-2004-0976?  It compares very favorably with the Debian patch for
      insecure tempfiles.  It patches quite a bit more than the Debian patch
      (mostly documentation).  It looks okay, but I have made a couple of
      tweaks for that patch file, that changes it to be a little more like
      Debian's patch in a few places where it makes sense to do so.

      The tweaks are in the attached tarball in directory tempfile/.  The
      original file is "perl-5.8.3-tempfile.patch.ori", and my tweaked patch
      file is "perl-5.8.3-tempfile.patch".  For comparison, Debian's patch
      is also there, called "09_fix_insecure_tempfiles", gleaned from their
      <http://ftp.debian.org/debian/pool/main/p/perl/perl_5.8.4-8.diff.gz>.

    * perl.spec -- Enclosed is an update to perl.spec from perl-5.8.3-18.1.
      src.rpm:
	1)  Changed the release to make it perl-5.8.3-17.3.legacy so it will
	    not conflict with Fedora Core 2's perl
	2)  Restored the white-space that was in the previous release's,
	    (perl-5.8.3-16's) specfile.
	3)  Removed the CAN-2005-0077 patch as it does not apply to this
	    package.
	4)  Removed the perl-5.8.3-cgi.pm.patch, as discussed above.

      The "perl-5.8.3-16.spec" (from RH's FC1 perl update of March, 2004),
      "perl.spec.ori" (from perl-5.8.3-18.1.src.rpm), and "perl.spec" (my
      update) can all be found in the specfile/ directory of the tarball.

I've built and installed rpms from the .src.rpm resulting from these
changes, and run a number of perl programs from it, including a .cgi
program, and all seem to work well.  Plan to post an updated .src.rpm within
the next day or so.

If you have any thoughts or comments about the changes, please let me know.
Thanks.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDLxZixou1V/j9XZwRAl4hAJ0caE2CgTKek7Ya3UXYUe95a7O9iACgwmcJ
bApwyV+/K3m6EupY/STEROw=
=yD3J
-----END PGP SIGNATURE-----
Comment 10 David Eisenstein 2005-09-20 02:08:47 UTC 
 $ cat <comment 9> | expand | gpg --verify

Bugzilla changes spaces to tabs so signature doesn't verify otherwise.
Comment 11 David Eisenstein 2005-09-21 07:09:32 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an updated perl package to QA for FC1.  It updates John Dalbec's
FC1 perl-5.8.3.18.1.legacy.src.rpm source package:

  4cc87b1cc3df776fd4b938ee4ef335a92f3e0c20  perl-5.8.3-17.3.legacy.src.rpm

  http://www.fedoralegacy.org/contrib/perl/perl-5.8.3-17.3.legacy.src.rpm

FC1 Changelog:
(nb:  I've munged email addresses here for spambots...  Full email addy's
are in srpm.)

* Sun Sep 19 2005 David Eisenstein <deisenst@...> 3:5.8.3-17.3.legacy
- - Remove patch1005: perl-5.8.3-cgi.pm.patch introduces a bug and is
  unnecessary.  See bug # 152845 comment 9.

* Tue Sep 13 2005 David Eisenstein <deisenst@...> 3:5.8.3-17.2.legacy
- - Re-do version number for FC1 release so as not to conflict with FC2.
- - Put whitespace back to make an easier compare with 5.8.3-16
- - Remove patch for CAN-2005-0077 since it patches perl-DBI package,
  not this one.

* Thu Jul 14 2005 John Dalbec <jpdalbec@...> 3:5.8.3-18.1.legacy
- - integrate fixes for CAN-2004-0452 CAN-2005-0077 CAN-2005-0155
  CAN-2005-0156 CAN-2005-0448 and a CGI.pm DoS.

* Thu Dec 9 2004 John Dalbec <jpdalbec@...> 3:5.8.3-17.1.legacy
- - integrate tmpfile patch from OWL/solar designer


Please test and comment.  Thank you.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDMQcwxou1V/j9XZwRAmXzAKCIHsOpwvJEOHDxa3Riq3HRg2OjwgCguFMy
sSInPW+BsCtWu0DVPkkY8aI=
=DdWb
-----END PGP SIGNATURE-----
Comment 12 Pekka Savola 2005-09-21 09:39:45 UTC 
It seems that Patch1001 could be commented out because it's not applied.. 

The two patches look good, but I'm still having issues with the solar tmpfile
patch.  The first version proposed by John was 30K.  Debian has similar
elements, but that's only 10K.  It's nontrivial to figure out the rest.  Do you
know the source for the solar's patch?  Is there something to compare the 30K
patch we're using against?

In the overlapping parts, there are some differences wrt. whether the paths are
included or not compare "my $filename = filt" vs "my $filename = /var/run/filt"
and on ppport.pm.  It's not clear how I could determine which one is correct.
Comment 13 John Dalbec 2005-09-21 12:35:20 UTC 
I believe I created the solar tmpfile patch starting with the patch from bug
#136325 ("needs backporting") and removed/fixed hunks that didn't apply or were
already applied by the previous solar tmpfile patch.
Comment 14 David Eisenstein 2005-10-03 10:26:41 UTC 
(In reply to comment #12)

> It seems that Patch1001 could be commented out because it's not applied..

Can do.

> The two patches look good, but I'm still having issues with the solar 
> tmpfile patch.  The first version proposed by John was 30K.  Debian has
> similar elements, but that's only 10K.  It's nontrivial to figure out the
> rest.  Do you know the source for the solar's patch?  Is there something
> to compare the 30K patch we're using against?

I went through the patch file "perl-5.8.3-tempfile.patch" practically line-
by-line, comparing it to both the Debian patch-file for tempfile issues and
assessing the effect of most every patch in it to the original sources.  I
agree, at 30,629 bytes, it weighs in pretty big.  Also it touches a lot of
perl .pm files, some perhaps unnecessarily.
    When I reviewed all of the patches, where the hunks differ from Debian's
usually ends up inconsequential.  Why?  Because the places it differs from
Debian's is patching *documentation* -- sample code, not real code.  A lot
of that 30k of patch-file is changing the POD sections of those pm's -- those
parts that are converted into Perl's man-pages.

> In the overlapping parts, there are some differences wrt. whether the paths
> are included or not compare "my $filename = filt" vs "my $filename = 
> /var/run/filt" and on ppport.pm.  It's not clear how I could determine which
> one is correct.

I see what you mean, Pekka.  Again, most of those places are doc sections.
But I also see the difference in the hunk that patches "perl-5.8.3/ext/Devel/
PPPort/PPPort.pm".  Although the solartmp patch may work there, the Debian
patch is no doubt correct and looks better to me.  Also many hunks of the
solartmp patch are unnecessary, since all they are patching are docs, and
we're interested in security issues.  Making a doc say "$HOME/$file" instead
of "/tmp/$file" is arguably not a security issue per se.

Furthermore one of the hunks, the only patch to CGI.pm, 

    --- perl-5.8.3.orig/lib/CGI.pm	Mon Jan 19 18:46:25 2004
    +++ perl-5.8.3/lib/CGI.pm	Sun Jan 25 16:45:26 2004
    @@ -2,6 +2,9 @@
     require 5.004;
     use Carp 'croak';
     
    +# XXX: The temporary file handling implemented in here is crap.  It should
    +# be re-done making use of File::Temp.
    +
     # See the bottom of this file for the POD documentation.  Search for the
     # string '=head'.

seems a rather useless patch: even were the added comment demonstrably true, 
it's a bit unprofessional.  If the patcher thinks the work should be done,
then he should do it rather than adding desultory comments.

The less unnecessary things we patch, the better.  Would it be satisfactory
to port the Debian patch to replace the solartmp patch, Pekka?  John?  Matt?
Marc?  Would anyone vote PUBLISH?

Further, if I did this for the FC1 package, would it need to be backported to
all the others?
Comment 15 Pekka Savola 2005-10-05 06:05:15 UTC 
Oh, now I found the Owl original patch:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/perl/perl-5.8.3-owl-tmp.diff

There was one relevant diff:

[the first is Owl, the second is ours]
< +    unlink($TMP, '$SAFEDIR/a.out');
---
> +    unlink($TMP, "$SAFEDIR/a.out");


.. though I think ours is correct because '$ENV' doesn't seem to make sense if
the variable isn't expanded..

So, I can give FC1 version posted a PUBLISH.  It's not fully clear what else may
be needed.  I.e., do we need new packages for other distros or are they good
enough (but just lacking publish) ?
Comment 16 David Eisenstein 2005-10-05 11:01:29 UTC 
Well, the only major problem that I found in the FC1 version, "perl-5.8.3-
cgi.pm.patch", should not be an issue for the RH7.3 and RH9 versions of Perl.

The RH9 version will probably be okay; but what were you QA'ing in Comment #4,
Pekka?

I'll look at the RH9 and RH7.3 packages hopefully shortly (am concentrating
on Mozilla right now) and do source QA on them.

Do we still need a source rpm package for FC2?  My reading of this bugzilla is
that one hasn't been proposed yet.
Comment 17 Pekka Savola 2005-10-08 05:24:03 UTC 
I think John proposed FC2 package, but it didn't look good.  I was looking at
the RPMs that john had proposed in #3, AFAIR.

(btw, I reported the solar tempfile issue with '' vs "" upstream, and they'll
fix their patch.)
Comment 18 David Eisenstein 2005-10-09 00:30:46 UTC 
That was a good idea, reporting the the tempfile issue regarding the '' quotes
instead of the "" ones upstream.  If I recall, this has been fixed upstream
upstream by the Perl maintainers in the most recent Perl versions.

Here's my understanding of the source packages that have been submitted for QA:

Distro Comment #   Submitted   Package Name
====== =========   =========   ===============================================
RH73   Old Bgzla   2004-12-10  perl-5.6.1-37.0.7.3.legacy.i386.rpm (superseded)
RH73   Comment 3   2005-07-19  perl-5.6.1-38.0.7.3.legacy.src.rpm

RH9    Old Bgzla   2004-12-10  perl-5.8.0-89.0.9.legacy.src.rpm (superseded)
RH9    Comment 3   2005-07-19  perl-5.8.0-90.0.9.legacy.src.rpm

FC1    Old Bgzla   2004-12-10  perl-5.8.3-17.1.legacy.src.rpm (superseded)
FC1    Comment 3   2005-07-19  perl-5.8.3-18.1.legacy.src.rpm (superseded)
FC1    Comment 11  2005-09-21  perl-5.8.3-17.3.legacy.src.rpm  (PUBLISH?)

FC2       (Not yet submitted)
==============================================================================

The 5.8.3-18.1 was mistaken for an FC2 package when in fact John submitted it
to be considered as an FC1 package.  The confusion was due to the fact that
the FC2 package released by Red Hat is numbered 5.8.3-18.  That's why when I
submitted the latest FC1 package, I renumbered it to 5.8.3-17.3.  See FC1 
changelog in comment 11.

In any event, a FC2 .src.rpm package is needed.
Comment 19 David Eisenstein 2005-10-18 07:12:46 UTC 
RHSA-2005:674-01 was issued a couple weeks ago for RHEL 4 (perl-5.8.5) to
address CAN-2005-0448 (the rmtree issue).

    <http://rhn.redhat.com/errata/RHSA-2005-674.html> or
<http://www.redhat.com/archives/enterprise-watch-list/2005-October/msg00006.html>.

"Paul Szabo discovered a bug in the way Perl's File::Path::rmtree module
removed directory trees. If a local user has write permissions to a
subdirectory within the tree being removed by File::Path::rmtree, it is
possible for them to create setuid binary files. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0448
to this issue."

(This CVE appears to not yet have been fixed for RHEL 3.)
Comment 20 Mark J. Cox 2005-10-18 08:31:51 UTC 
For CAN-2005-0448 on RHEL3 see bug 161053.
Comment 21 David Eisenstein 2005-10-18 23:01:52 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Source QA for the Red Hat 9 .src.rpm from comment 3.

091966a58e7ec33f338dc1cedc361f5329850784  perl-5.8.0-90.0.9.legacy.src.rpm
  downloaded from <www.fedoralegacy.org/contrib/perl>.

Sources:
   * source tarball perl-5.8.0.tar.bz2 appears pristine.

New Patches:
I did patch comparisons with RHEL 3's perl-5.8.0-89.10.src.rpm from Feb 3,
2005 and also referencing similar (new) patches from the FC1 perl-5.8.3
sources.

   * perl-5.8.0-CAN-2004-0452-rmtree.patch: is superseded by the CAN-2005-0448
     patch.  Is properly commented out in the spec file so it it not applied.
     (Although moot, it does match RHEL 3's perl-5.8.0-rmtree.patch.)

   * perl-5.8.0-CAN-2005-0077-perl-DBI-tmpfile.patch:  This patch does not
     belong with this .srpm package.  Instead, it should patch the perl-DBI
     .srpm package (in RH9, perl-DBI-1.32-5.src.rpm).  Though included, it
     is not applied, because there is nothing in here to apply it to.

   * perl-5.8.0-CAN-2005-0155-0156-perlio.patch:  Same as RHEL 3's
	perl-5.8.0-bug33990.patch.  Looks good.

   * perl-5.8.0-CAN-2005-0448-rmtree.patch:  Looks good.  Compares well with
     the similar patch in FC1's srpm, with minor alterations to fit 5.8.0's
     source file.

   * perl-5.8.0-cgi.pm.patch:  This is the same patch as RHEL 3's
	perl-5.8.0-CGI-encoded-path.patch.  Looks good.

   * perl-5.8.0-tempfile-5.8.3-backport.patch:  This is a full implementation
     of the OWL/Solar temp patch.  It includes the same bugs that we have
     noted before:

       1)  Line 732-733 -- Does the unlink($TMP, '$SAFEDIR/a.out'), rather than
	   the more effective unlink($TMP, "$SAFEDIR/a.out"), that Pekka
	   noticed in comment 15.

       2)  Lines 380, 389, and 490-  These lines are attempting to replace:
	      "/tmp/perldbtty$$"
	   with:
	      "/var/run/perldbtty$$"
	   in both perl-5.8.0/lib/perl5db.pl and perl-5.8.0/pod/perlfaq5.pod

	   In this instance, I agree with Debian's approach, which instead
	   replaces: 
	      "/tmp/perldbtty$$"
	   with:
	      "$ENV{HOME}/.perldbtty$$".
	   or something similar, both in live code and in documentation.

	   This is an important change because no users except for root
	   have access to create or maintain a "/var/run/xxx" file at
	   all, but all users have permissions to write hidden files to
	   their own home directory.

   * All other old patches and source-files are exactly the same (comparing
     to RHEL 3's perl-5.8.0-89.10.src.rpm from Feb 3, 2005), except for a
     couple of non-security fixes to the RHEL 3 Perl.

I will attach an updated perl-5.8.0-tempfile-5.8.3-backport.patch in the
next comment that fixes the two issues noted above.

Although everything else is fine, I cannot vote PUBLISH on this package
without these or similar fixes in place.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDVX7Gxou1V/j9XZwRAm9PAKD1ux64AmU99H1wcqlCZoGKvikFWwCgo6ZE
gSohlCcPHwt7nYnp94WlMvU=
=3rP7
-----END PGP SIGNATURE-----
Comment 22 David Eisenstein 2005-10-18 23:13:12 UTC 
Created attachment 120146 [details]
Proposed updated OWL/solar tempfile patch for RH9

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


221e6d1213f5f445bb8272368004526c5b3b380c
		perl-5.8.0-tempfile-5.8.3-backport.patch

Here is a proposed update to the perl-5.8.0-tempfile-5.8.3-backport.patch file
which was included in perl-5.8.0-90.0.9.legacy.src.rpm from comment 3.	This
updated patch file fixes a couple of errors (see comment 21).

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDVYEdxou1V/j9XZwRAkLuAKCDBVB2ZABGph7IuY7YD9ZUrOVHlgCeLR8W
wRgjAw6dnZqL2Jp5UWeHjg4=
=3y+2
-----END PGP SIGNATURE-----
Comment 23 David Eisenstein 2005-10-18 23:25:30 UTC 
$ cat {comment 22} | expand | unexpand | gpg --verify

to GPG validate.
Comment 24 David Eisenstein 2005-10-24 09:31:27 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an updated perl package to QA for RH9.  It updates John Dalbec's
RH9 perl-5.8.0-90.0.9.legacy.src.rpm source package.

  http://www.fedoralegacy.org/contrib/perl/perl-5.8.0-90.0.10.legacy.src.rpm

0dac664e1c7ee89911a0aba52635481bd13ac9c5  perl-5.8.0-90.0.10.legacy.src.rpm

RH9 Changelog:
(nb:  I've munged email addresses here for spambots...  Full email addy's
are in srpm.)

* Sat Oct 22 2005 David Eisenstein <deisenst@...> 2:5.8.0-90.0.10.legacy
- - Update perl-5.8.0-tempfile-5.8.3-backport.patch to correct some errors.
- - Bugzilla #152845

* Thu Jul 14 2005 John Dalbec <jpdalbec@...> 2:5.8.0-90.0.9.legacy
- - integrate fixes for CAN-2004-0452 CAN-2005-0077 CAN-2005-0155 CAN-2005-0156
  CAN-2005-0448 and a CGI.pm DoS.

* Thu Dec 9 2004 John Dalbec <jpdalbec@...> 2:5.8.0-89.0.9.legacy
- - integrate tmpfile patch from OWL/solar designer
- - add BuildRequires: glibc-devel gdbm-devel gpm-devel libjpeg-devel
      BuildRequires: libpng-devel libtiff-devel ncurses-devel popt
      BuildRequires: zlib-devel binutils e2fsprogs-devel pam 
      BuildRequires: rpm-devel groff

Please test and comment.  Thanks.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDXKhVxou1V/j9XZwRAq1dAJ9fyjjMXQ1g/9YrjtfGTTk0OSWLHACfd+wG
Z5FH763pI/bhHJr2u0HuQjs=
=pMsC
-----END PGP SIGNATURE-----
Comment 25 John Dalbec 2005-11-29 13:27:49 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FC2 packages are available from http://www.fedoralegacy.org/contrib/perl/

sha1sums:
5afd74098e0cd7ac3f72791396f32bd25328e650  perl-5.8.3-19.2.legacy.i386.rpm
83d8db018eaab6c58922144773b32f2a7e775813  perl-5.8.3-19.2.legacy.src.rpm
98178e1f9b3ea035c7dd170cf6fa548e81ef0929
perl-suidperl-5.8.3-19.2.legacy.i386.rpm

The packages build successfully in mach.

changelog:
* Wed Nov 23 2005 John Dalbec <jpdalbec@...> 3:5.8.3-19.2.legacy

- - integrate tmpfile patch from OWL/solar designer
- - integrate fixes for CAN-2004-0452 CAN-2005-0155 CAN-2005-0156 and
  CAN-2005-0448.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFDjFZDJL4A+ldA7asRAnMpAJ93i+uoKhfmVgIFS/jyNVjxnQLqQgCffzGK
iK85Mkx6Y7y6mTBDJw5Ojj4=
=yFAT
-----END PGP SIGNATURE-----
Comment 26 Pekka Savola 2005-11-29 17:28:04 UTC 
I've a bit of lost track on whether new pkgs will be needed for FC1 and RHL73..?
Comment 27 David Eisenstein 2005-12-01 10:52:58 UTC 
In comment #15, Pekka, you stated that you can give the FC1 version a 
PUBLISH.  If we don't need a gpg signature around it, then FC1 has your
PUBLISH vote already.  No new packages are needed, AFAICT.

A reckoning of votes needed so this can be officially built to be pushed
to updates-testing:

  * RH73 (John Dalbec's from comment #3) needs publish QA.  The result of
    that QA will determine if the .src.rpm is okay or if it needs something
    to be fixed in it or its patches.  (Sorry I didn't get around to doing
    QA on this awhile back!)

  * RH9 (updated in comment #24) needs a publish QA, which I cannot do,
    since I submitted the .src.rpm.  The update to the OWL/Solar tempfile
    patch I submitted in comment #22 is exclusively for the RH9 version
    of Perl for (small) errors I noted in comment #21's QA for RH9 Perl.
    (Please note all problems I found in comment #21 for RH9 were already
    fixed in the FC1 version of Perl.)
    
  * FC1 (updated in comment #11) should be ready to go; it fixes all relevant
    CVE's and bugs, and Pekka voted to PUBLISH in comment #15.  Yes?

  * FC2 (John Dalbec's from comment #25) now needs publish QA.
Comment 28 Pekka Savola 2005-12-01 11:35:05 UTC 
My real question was, "has anyone analyzed whether pkgs in #11 and #3 fix the
same issues as revised RHL9 and FC2 packages?"

I guess someone should just dive in and take a look..
Comment 29 Pekka Savola 2005-12-01 12:30:16 UTC 
I took look at RHL9, FC1 and FC2.  They're all good, however, PKGS line in RHL9
should IMHO not be changed, and this can be fixed at build time.

RHL73 is also good, except for the tempfile backport patch.  I didn't go through
it completely.  It seems most stuff that has been left out of RHL73 is on man
pages, but I didn't verify.  Could someone else check this?

a273e8ee1cb2002a50e902b80b99717dbb8dead4  perl-5.6.1-38.0.7.3.legacy.src.rpm
0dac664e1c7ee89911a0aba52635481bd13ac9c5  perl-5.8.0-90.0.10.legacy.src.rpm
4cc87b1cc3df776fd4b938ee4ef335a92f3e0c20  perl-5.8.3-17.3.legacy.src.rpm
83d8db018eaab6c58922144773b32f2a7e775813  perl-5.8.3-19.2.legacy.src.rpm
Comment 30 David Eisenstein 2005-12-08 23:44:07 UTC 
Am looking into RHL73's perl-5.6.1 right now...

a273e8ee1cb2002a50e902b80b99717dbb8dead4  perl-5.6.1-38.0.7.3.legacy.src.rpm
Comment 31 David Eisenstein 2005-12-11 07:56:00 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Source QA for the Red Hat Linux 7.3 .src.rpm from comment 3.

a273e8ee1cb2002a50e902b80b99717dbb8dead4  perl-5.6.1-38.0.7.3.legacy.src.rpm
  downloaded from <www.fedoralegacy.org/contrib/perl>.

   * source tarball perl-5.6.1.tar.gz appears pristine.
   * old patches in this .src.rpm are exactly the same as was in the
     previously released perl-5.6.1.
   * the spec-file looks good.

New Patches:

Pekka's already gone through these pretty thoroughly.  He notes in comment
#29, "RHL73 is also good, except for the tempfile backport patch.  I didn't
go through it completely.  It seems most stuff that has been left out of
RHL73 is on man pages, but I didn't verify."

The combination of the older patch1002 (perl-5.6.1-solartmp.patch) and John's
patch1003 (perl-5.6.1-tempfile-5.8.3-backport.patch) yields approximately the
same OWL/solardesigner patch for CVE-2004-0976 we've seen in the other distros,
which includes stuff for the .pod/.man pages.  The only differences occur in
the necessary changes for the backport process:  hunks that don't apply
are appropriately removed, and some other hunks take small tweaks to apply.

The tempfile patches look good enough and complete.  (With a mild reservation;
see footnote in comment #32.)**

I went through all the new patches anyway.  Only 2 of the 6 included new
patches are applied:

>* 1003)  perl-5.6.1-tempfile-5.8.3-backport.patch         - checked out, OK.
>* 1007)  perl-5.6.1-CAN-2005-0448-rmtree.patch            - checked out, OK.

The other 4 new patch files:
   1004)  perl-5.6.1-CAN-2004-0452-rmtree.patch - not used, superseded
          by CAN-2005-0448 rmtree patch.
   1005)  perl-5.6.1-CAN-2005-0077-perl-DBI-tmpfile.patch  - not used, patches
          a different .src.rpm, shouldn't be here.
   1006)  perl-5.6.1-CAN-2005-0155-0156-perlio.patch - not used, doesn't apply.
          Perl-5.6.1's perlio.c would not appear to be vulnerable to these
	  issues, as there is no code for debugging in this much older .c file.
   1008)  perl-5.6.1-cgi.pm.patch - not used, doesn't apply.

These 4 inapplicable patch files could be removed from the spec-file.  But,
with the exception of patch1005, it might be good to at least mention them
there in spec-file comments, so future maintainers may know that these 
patches were omitted on purpose.

In summary, everything looks ship-shape in these RHL 7.3 sources in 
perl-5.6.1-38.0.7.3.legacy.src.rpm.

   PUBLISH++  RHL73's  perl-5.6.1-38.0.7.3.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDm5I+xou1V/j9XZwRAsdWAJ9UM1OFrbf2kG54FiR6wNN2GZRdWgCg4TkB
UAsbAlXHEqZIAIHapiMjVmE=
=A89e
-----END PGP SIGNATURE-----
Comment 32 Pekka Savola 2005-12-11 08:16:32 UTC 
Thanks!
Comment 33 David Eisenstein 2005-12-11 08:39:53 UTC 
Created attachment 122107 [details]
Possible revised perl-5.6.1-solartmp.patch for RHL73

Footnotes to comment 31:
------------
**
   I have a minor nit with the old solartmp patch (perl-5.6.1-
   solartmp.patch) from Red Hat:  the same nit I had for RH9's perl in
   comment 21 in point (2) of the tempfile-backport patch comments
   (which I fixed in RH9's and FC1's packages, to be like Debian's
   patch).  The changes I would suggest would change lines 162, 171,
   and 202 of perl-5.6.1-solartmp.patch.

162c162
< +# uses the value of noTTY or "/var/run/perldbtty$$" to find TTY using
---
> +# uses the value of noTTY or "$HOME/.perldbtty$$" to find TTY using
171c171
< +	    my $rv = $ENV{PERLDB_NOTTY} || "/var/run/perldbtty$$";
---
> +	    my $rv = $ENV{PERLDB_NOTTY} || "$ENV{HOME}/.perldbtty$$";
202c202
< +startup, or C<"/var/run/perldbtty$$"> otherwise.  This file is not 
---
> +startup, or C<"~/.perldbtty$$"> otherwise.  This file is not 

   But since everything else is fine, and Red Hat hadn't fixed this
   error in a recent patch it put into place for CVE-2004-0976 for FC4
   (in perl-5.8.6-CAN-2004-0976.patch, <http://tinyurl.com/87kbv>, re-
   maining in <http://tinyurl.com/bxeyj>), I think we can let this go,
   for the purposes of getting this package voted PUBLISH to move on.
   
   (I've submitted Bug # 175467 to Red Hat for the FC4 bug.)

   Would anyone complain if a revised perl-5.6.1-solartmp.patch file
   (attached) were put in place at package build for updates-testing
   time?  It would have the benefit of making the code pretty well match
   upstream perl-5.8.7.
Comment 34 Pekka Savola 2005-12-11 09:06:15 UTC 
No objection from me.
Comment 35 David Eisenstein 2005-12-11 22:10:01 UTC 
Solar Designer has accepted both Pekka's and my patches.  See:
  <http://tinyurl.com/8a9ku>  (CVS change log at cvsweb.openwall.com)
Comment 36 David Eisenstein 2005-12-16 15:24:22 UTC 
Am in the process of building these in mach for updates-testing....
Comment 37 David Eisenstein 2005-12-20 06:28:41 UTC 
Created attachment 122440 [details]
side-by-side diff listing of RH7.3 spec files

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Like John Dalbec, I found on the FL build server that perl in RH7.3 has
problems building in mach, because it tries to run RPM during the build.

My workaround was to take John's suggested workaround from comment 3,
building the file-lists by hand that the rpm query commands in the build
process would have created, then placing those file lists as files in the
.src.rpm as Source11 and Source12.

RH7.3 Perl now builds in mach okay on the build server.

Any critique on this method of building Perl would be appreciated.

Enclosed is a side-by-side difference listing of the previous perl.spec and
the new perl.spec.  Also, if you'd like to take a look at the full .src.rpm
with the new spec-file, it is available to look at:

4f3aa62b967726046884fe9f3f33783b2278b9aa  perl-5.6.1-38.0.7.3.2.legacy.src.rpm
<http://fedoralegacy.org/contrib/perl/perl-5.6.1-38.0.7.3.2.legacy.src.rpm>

I said that it builds in mach okay.  Well, it mostly does.  There is one
error that is caught in the regression tests; that error does not cause the
build to fail.	It is this:

    .
    .
    .
    lib/safe3............FAILED at test 1
    .
    .
    .
    Failed 1 test script out of 254, 99.61% okay.

I am not sure what this error is about.  Do any of you have any ideas?
Do any of you that have a bona-fide RH7.3 environment (machine or vmware),
can you try building the above .src.rpm and see if that error occurs when
you build it?

In case it helps, the build log from mach on jane (FL's build-server) is also
available:

c3a0a6500b3fdfc182574940dd9e71e55a1e1b0b perl-5.6.1-38.0.7.3.2.legacy.build.log

<http://fedoralegacy.org/contrib/perl/perl-5.6.1-38.0.7.3.2.legacy.build.log>.

Would appreciate any suggestions or thoughts.

I am planning on going ahead and building RH9, FC1 and FC2 on the build
server starting this evening.  RH9 will, I think, require similar changes
to build in mach as RH7.3 did.

Thanks!  --David

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDp6RTxou1V/j9XZwRAitUAKCWrbAVlkZ+3FYTGcBYUripRjwtxgCg9I0P
ZgYtuP2ZSWOnNZ9JU9xRHcI=
=MYJq
-----END PGP SIGNATURE-----
Comment 38 John Dalbec 2005-12-20 15:00:11 UTC 
I don't get the error on RH7.3, but that could just mean that it's using the
installed Perl version.  I note that safe3.t does not have execute permissions.
 Could that cause this problem?
Comment 39 John Dalbec 2005-12-20 15:13:28 UTC 
It looks like BuildRequires: bison is missing.
@@ -551,8 +547,7 @@
 Checking the size of uid_t...
 Checking the sign of uid_t...
 Checking the format string to be used for uids...
-Which compiler compiler (byacc or yacc or bison -y) shall I use?
-[/usr/bin/byacc]  
+Which compiler compiler (yacc) shall I use? [yacc]  
 dbmclose() NOT found.
 <sys/file.h> found.
 We'll be including <sys/file.h>.
Comment 40 John Dalbec 2005-12-20 17:31:10 UTC 
Make that BuildRequires: byacc.  I didn't realize they were different packages.
Comment 41 John Dalbec 2005-12-20 20:16:27 UTC 
OK, I've removed byacc and bison from my RHL 7.3 system and I still don't get a
failure.  (I guess it could be because I already installed the new Perl
version.)  If I can get Mach working I'll see if I can reproduce the error
there.  Otherwise, the only meaningful difference I see between the build logs
is the kernel version.
Comment 42 John Dalbec 2005-12-20 22:06:20 UTC 
Created attachment 122469 [details]
Differences between build logs

I rebuilt the SRPM you provided using Mach 0.4.7 (customized to set
LD_PRELOAD=/usr/lib/libselinux-mach.so in $buildroot/root/.profile and using a
local mach-libselinux package to install libselinux-mach.so in the buildroot)
in a RH7.3 buildroot on a FC3 host.  I didn't get the safe3 error.  I have
kernel.vdso = 0 in /etc/sysctl.conf on the host.  The command I used was LANG=C
nohup mach -d -f -r rh73l rebuild perl*.src.rpm > build.log 2>&1 &.  I compared
your "perl*.build.log" to the "rpm.log" file that was generated.
Comment 43 David Eisenstein 2005-12-21 12:52:06 UTC 
Okay.  I've figured it out.  The problem is the newness of mach to yours 
truly.  Sorry 'bout that.

Instead of doing
  $ mach -r rh73 rebuild perl-5.6.1-38.0.7.3.3.legacy.src.rpm
yours truly needed to do
  $ mach -r rh73u rebuild perl-5.6.1-38.0.7.3.3.legacy.src.rpm

The first form on jane builds packages from the original os distribution
RPMs.  The second form builds packages from the most recently updated RPMs.
Just now learned that.

With that, the bug went away.  safe3.t passes its test.  Oh, and I added
BuildRequires: byacc, since perl builds seem to prefer it if it's available.

Your work and your comments were a great help, John.  Thanks!
Comment 44 David Eisenstein 2005-12-23 09:18:56 UTC 
New vulnerability:  CVE-2005-3962:  "Integer overflow in the format string
functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers
to overwrite arbitrary memory and possibly execute arbitrary code via format
string specifiers with large values, which causes an integer wrap, as
demonstrated using format string vulnerabilities in Perl applications."

RedHat has issued RHSA-2005:881 (RHEL 3) and RHSA-2005:880 (RHEL 4) and also
updates for FC3 and FC4 for this new issue.

This is also mentioned in the FL thread starting at:
<http://www.redhat.com/archives/fedora-legacy-list/2005-December/msg00010.html>
and ending with
<http://www.redhat.com/archives/fedora-legacy-list/2005-December/msg00065.html>.

RHL 9, FC1, FC2 are affected, but RH7.3 isn't by this new issue.

Do we
    (1)  Open a new bugzilla for this issue?
    (2)  Tackle this new issue here?

I lean towards opening a new bug....
Comment 45 David Eisenstein 2006-01-02 20:31:27 UTC 
Created attachment 122692 [details]
Proposed text of Test Update Notification for this issue

Have built packages to be pushed to updates-testing.  They yet
need to be signed.

Enclosed is a proposed text for the Test Update Notification when
these packages are signed and pushed to updates-testing.  Please
let me know if you see any errors or omissions.  Thanks.   -David
Comment 46 Pekka Savola 2006-01-03 12:30:45 UTC 
Looks good.
Comment 47 Marc Deslauriers 2006-01-10 01:20:05 UTC 
Packages were pushed to updates-testing.
Comment 48 Pekka Savola 2006-01-10 07:23:02 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL73 and RHL9.  Very light QA only.  "Seems to work" and a couple of
perl-intensive script "appear to continue to work OK" :).   Signatures OK.
Someone can provide more intensive testing if feels like, but these updates
should have gone out already a year ago so I'm not too picky...
 
+VERIFY RHL73, RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDw2GzGHbTkzxSL7QRAs4AAJ456gJq1r7kXfpvXKpm+HO6UYBtsgCfYAGH
FqpI8JXGDkFghtdpQuKL7/o=
=+7Vm
-----END PGP SIGNATURE-----
Comment 49 David Eisenstein 2006-01-24 17:05:20 UTC 
Timeout over.
Comment 50 Marc Deslauriers 2006-01-24 23:29:20 UTC 
Packages were released
Comment 51 David Eisenstein 2006-01-27 05:48:27 UTC 
Am removing CAN-2005-0077 from the title of this bug ticket, as that issue was
not handled in this bug, and a new Bugzilla ticket has been opened for this
issue (Bug #178989).