1241818 – Please update to >= 1.64 to let bugzilla 5.0 run.

Bug 1241818 - Please update to >= 1.64 to let bugzilla 5.0 run.

Summary: Please update to >= 1.64 to let bugzilla 5.0 run.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	perl-DateTime-TimeZone
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Pisar
QA Contact:	Martin Kyral
Docs Contact:	Lenka Špačková
URL:
Whiteboard:
Depends On:
Blocks:	1465904 1466370 1473612
TreeView+	depends on / blocked

Reported:	2015-07-10 07:39 UTC by Frank Büttner
Modified:	2018-04-10 08:38 UTC (History)
CC List:	4 users (show)
Fixed In Version:	perl-DateTime-TimeZone-1.70-1.el7
Doc Type:	Release Note
Doc Text:	_perl-DateTime-TimeZone_ rebased to version 1.70 The _perl-DateTime-TimeZone_ package has been upgraded to upstream version 1.70, which provides a number of bug fixes and enhancements over the previous version. Notably: * With this update, it is possible to install Bugzilla version 5, which requires a more recent version of _perl-DateTime-TimeZone_ than the system provided previously. * The Olson time zone database has been updated to version 2017b. Previously, applications written in the Perl language that use the DateTime::TimeZone module mishandled time zones that changed their specifications since version 2013h due to the outdated database. * Using a local time zone from a tainted time zone identifier has been fixed.
Clone Of:
Environment:
Last Closed:	2018-04-10 08:38:24 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Source repository patch rebasing to 1.64 (2.44 KB, patch) 2017-07-11 09:05 UTC, Petr Pisar	no flags	Details \| Diff
View All

Links
System	ID	Priority	Status	Summary	Last Updated
CPAN	92631	None	None	None	Never
Red Hat Bugzilla	1101251	unspecified	CLOSED	Upgrade perl-DateTime-TimeZone to deliver time zone updates	2023-01-03 14:08:46 UTC
Red Hat Product Errata	RHBA-2018:0664	None	None	None	2018-04-10 08:38:51 UTC

Internal Links: 1101251

Description Frank Büttner 2015-07-10 07:39:04 UTC

Description of problem:
The new bugzilla generation 5 need version 1.64 of it, but only 1.63 is available.  

Version-Release number of selected component (if applicable):
perl-DateTime-TimeZone-1.63-2.el7.noarch

See https://www.bugzilla.org/releases/5.0/release-notes.html#v50_feat for more.

Comment 1 Petr Pisar 2015-07-10 07:42:03 UTC

Please contact Red Hat support to properly evaluate your feature request.

Comment 3 Petr Pisar 2015-07-10 08:33:51 UTC

The 1.64 source archive was moved to Backpan <http://backpan.perl.org/authors/id/D/DR/DROLSKY/DateTime-TimeZone-1.64.tar.gz>.

Changes between 1.63 and 1.64:

* Version bump.

* lib/DateTime/TimeZone/Local/Unix.pm and lib/DateTime/TimeZone/OlsonDB.pm use more secure 3-argument open() instead of the 2-argument variant.

* Year updated in copyright declarations.

* lib/DateTime/TimeZone.pm checks class name which implements requested time zone more strictly and thus untains tainted time zone name properly. This is the only bug fix quoted in the changelog. It's one-line change.

* New build-time dependencies for running tests: Test::Fatal, Test::Requires, Test::Taint. If Test::Taint and Test::Fatal are optional.

* New t/22taint-mode.t test.

* Upstream changelog is:

+1.64    2014-02-07
+
+- Under taint mode, DateTime::TimeZone->new( name => 'local' ) could die
+  depending on the method used to find the local time zone name. The resulting
+  variable would often be tainted. We now untaint all names before attempting
+  to load them. Reported by Stevie-O. RT #92631.
+


The 1.64 can be built in RHEL-7.2. All tests pass.

Reproducer for the only significant change is:

$ perl -T -e 'use DateTime::TimeZone; DateTime::TimeZone->new(name => $ARGV[0])' 'America/Chicago'
Insecure dependency in eval while running with -T switch at /usr/share/perl5/vendor_perl/DateTime/TimeZone.pm line 79.

The significant change is:

--- DateTime-TimeZone-1.63/lib/DateTime/TimeZone.pm     2013-10-28 15:50:52.000000000 +0100
+++ DateTime-TimeZone-1.64/lib/DateTime/TimeZone.pm     2014-02-07 22:58:21.000000000 +0100
@@ -73,6 +67,8 @@
         unless $real_class =~ /^\w+(::\w+)*$/;
 
     unless ( $real_class->can('instance') ) {
+        ($real_class) = $real_class =~ m{\A([a-zA-Z0-9_]+(?:::[a-zA-Z0-9_]+)*)\z};
+
         my $e = do {
             local $@;
             local $SIG{__DIE__};
@@ -564,7 +560,7 @@


We can either rebase the package to 1.64 or back-port the fix. Back-porting of course does not change the version number from 1.63 to 1.64.

Comment 4 Frank Büttner 2016-02-13 16:54:50 UTC

The external bug is fixed.

Comment 5 Petr Pisar 2016-10-06 06:32:55 UTC

The rebase is safe.

Comment 6 Petr Pisar 2017-07-11 09:05:34 UTC

Created attachment 1296138 [details]
Source repository patch rebasing to 1.64

Comment 12 errata-xmlrpc 2018-04-10 08:38:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0664

Note You need to log in before you can comment on or make changes to this bug.