Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/dev-perl/perltidy/files/perltidy-20130922.0.0-CVE-2014-2277.patch
diff options
context:
space:
mode:
Diffstat (limited to 'dev-perl/perltidy/files/perltidy-20130922.0.0-CVE-2014-2277.patch')
-rw-r--r--dev-perl/perltidy/files/perltidy-20130922.0.0-CVE-2014-2277.patch80
1 files changed, 80 insertions, 0 deletions
diff --git a/dev-perl/perltidy/files/perltidy-20130922.0.0-CVE-2014-2277.patch b/dev-perl/perltidy/files/perltidy-20130922.0.0-CVE-2014-2277.patch
new file mode 100644
index 000000000000..f52e3f6b7f1f
--- /dev/null
+++ b/dev-perl/perltidy/files/perltidy-20130922.0.0-CVE-2014-2277.patch
@@ -0,0 +1,80 @@
+Description: Replace insecure make_temporary_filename with File::Temp::tempfile
+Forwarded: http://lists.example.com/2010/03/1234.html
+Origin: vendor, http://bugs.debian.org/740670
+Author: Don Armstrong <don@debian.org>
+Last-Update: 2010-03-29
+--- a/lib/Perl/Tidy.pm
++++ b/lib/Perl/Tidy.pm
+@@ -76,6 +76,7 @@
+ use IO::File;
+ use File::Basename;
+ use File::Copy;
++use File::Temp qw(tempfile);
+
+ BEGIN {
+ ( $VERSION = q($Id: perltidy-20130922.0.0-CVE-2014-2277.patch,v 1.1 2014/03/11 18:40:27 civil Exp $) ) =~ s/^.*\s+(\d+)\/(\d+)\/(\d+).*$/$1$2$3/; # all one line for MakeMaker
+@@ -235,35 +236,6 @@
+ return undef;
+ }
+
+-sub make_temporary_filename {
+-
+- # Make a temporary filename.
+- # The POSIX tmpnam() function has been unreliable for non-unix systems
+- # (at least for the win32 systems that I've tested), so use a pre-defined
+- # name for them. A disadvantage of this is that two perltidy
+- # runs in the same working directory may conflict. However, the chance of
+- # that is small and manageable by the user, especially on systems for which
+- # the POSIX tmpnam function doesn't work.
+- my $name = "perltidy.TMP";
+- if ( $^O =~ /win32|dos/i || $^O eq 'VMS' || $^O eq 'MacOs' ) {
+- return $name;
+- }
+- eval "use POSIX qw(tmpnam)";
+- if ($@) { return $name }
+- use IO::File;
+-
+- # just make a couple of tries before giving up and using the default
+- for ( 0 .. 3 ) {
+- my $tmpname = tmpnam();
+- my $fh = IO::File->new( $tmpname, O_RDWR | O_CREAT | O_EXCL );
+- if ($fh) {
+- $fh->close();
+- return ($tmpname);
+- last;
+- }
+- }
+- return ($name);
+-}
+
+ # Here is a map of the flow of data from the input source to the output
+ # line sink:
+@@ -1324,11 +1296,7 @@
+ my ( $fh_stream, $fh_name ) =
+ Perl::Tidy::streamhandle( $stream, 'r' );
+ if ($fh_stream) {
+- my ( $fout, $tmpnam );
+-
+- # TODO: fix the tmpnam routine to return an open filehandle
+- $tmpnam = Perl::Tidy::make_temporary_filename();
+- $fout = IO::File->new( $tmpnam, 'w' );
++ my ( $fout, $tmpnam ) = tempfile();
+
+ if ($fout) {
+ $fname = $tmpnam;
+@@ -5159,14 +5127,7 @@
+ # Pod::Html requires a real temporary filename
+ # If we are making a frame, we have a name available
+ # Otherwise, we have to fine one
+- my $tmpfile;
+- if ( $rOpts->{'frames'} ) {
+- $tmpfile = $self->{_toc_filename};
+- }
+- else {
+- $tmpfile = Perl::Tidy::make_temporary_filename();
+- }
+- my $fh_tmp = IO::File->new( $tmpfile, 'w' );
++ my ($fh_tmp,$tmpfile) = tempfile();
+ unless ($fh_tmp) {
+ Perl::Tidy::Warn
+ "unable to open temporary file $tmpfile; cannot use pod2html\n";