[gentoo-commits] repo/gentoo:master commit in: perl-core/File-Temp/files/, perl-core/File-Temp/

[gentoo-commits] repo/gentoo:master commit in: perl-core/File-Temp/files/, perl-core/File-Temp/

[Sam James]

commit:     94ef94a19bf6264278a7e0d08014a0cf2ce6184b
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Apr 30 04:49:23 2024 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Apr 30 04:51:19 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94ef94a1

perl-core/File-Temp: fix _PC_CHOWN_RESTRICTED

The wrong function was being used (POSIX::sysconf) to determine the value
of _PC_CHOWN_RESTRICTED, neutering the security feature.

Migrate to POSIX::pathconf, as is now recommended by the Perl documentation
(https://github.com/Perl/perl5/pull/22161).

This patch hasn't yet been merged upstream into File-Temp, but the documentation
change rectifying the error in Perl itself has been merged, so I'm confident
it's the right thing to do.

Closes: https://bugs.gentoo.org/930949
Signed-off-by: Sam James <sam <AT> gentoo.org>

 perl-core/File-Temp/File-Temp-0.231.100-r1.ebuild  | 21 +++++++
 ...p-0.231.100-pathconf-_PC_CHOWN_RESTRICTED.patch | 68 ++++++++++++++++++++++
 2 files changed, 89 insertions(+)

diff --git a/perl-core/File-Temp/File-Temp-0.231.100-r1.ebuild b/perl-core/File-Temp/File-Temp-0.231.100-r1.ebuild
new file mode 100644
index 000000000000..627209aa0edb
--- /dev/null
+++ b/perl-core/File-Temp/File-Temp-0.231.100-r1.ebuild
@@ -0,0 +1,21 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+DIST_AUTHOR=ETHER
+DIST_VERSION=0.2311
+inherit perl-module
+
+DESCRIPTION="File::Temp can be used to create and open temporary files in a safe way"
+
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE=""
+
+PATCHES=(
+	# bug #390719
+	"${FILESDIR}/${PN}-0.230.0-symlink-safety.patch"
+	# bug #930949
+	"${FILESDIR}/${PN}-0.231.100-pathconf-_PC_CHOWN_RESTRICTED.patch"
+)

diff --git a/perl-core/File-Temp/files/File-Temp-0.231.100-pathconf-_PC_CHOWN_RESTRICTED.patch b/perl-core/File-Temp/files/File-Temp-0.231.100-pathconf-_PC_CHOWN_RESTRICTED.patch
new file mode 100644
index 000000000000..f8e56f8ae1c5
--- /dev/null
+++ b/perl-core/File-Temp/files/File-Temp-0.231.100-pathconf-_PC_CHOWN_RESTRICTED.patch
@@ -0,0 +1,68 @@
+https://bugs.gentoo.org/930949
+https://github.com/Perl-Toolchain-Gang/File-Temp/issues/36
+https://github.com/Perl-Toolchain-Gang/File-Temp/pull/41
+https://github.com/Perl/perl5/pull/22156
+https://github.com/Perl/perl5/pull/22161
+
+From 2de518ab67bf3c5be2525ea0a5d78f39de50074f Mon Sep 17 00:00:00 2001
+From: Lukas Mai <lukasmai.403@gmail.com>
+Date: Thu, 18 Apr 2024 20:12:06 +0200
+Subject: [PATCH] use pathconf() to get _PC_CHOWN_RESTRICTED flag
+
+The _PC_* constants are only meaningful in pathconf(); conversely,
+sysconf() only understands _SC_* constants.
+
+Previously, this code didn't do anything meaningful. For example, on x64
+Linux _PC_CHOWN_RESTRICTED is 6, which sysconf() would have interpreted
+as _SC_TZNAME_MAX (also 6).
+---
+ lib/File/Temp.pm | 16 +++++++---------
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/lib/File/Temp.pm b/lib/File/Temp.pm
+index ef34f6c..563efeb 100644
+--- a/lib/File/Temp.pm
++++ b/lib/File/Temp.pm
+@@ -718,7 +718,7 @@ sub _is_safe {
+ 
+ # Internal routine to check whether a directory is safe
+ # for temp files. Safer than _is_safe since it checks for
+-# the possibility of chown giveaway and if that is a possibility
++# the possibility of chown giveaway and if that is a possibility,
+ # checks each directory in the path to see if it is safe (with _is_safe)
+ 
+ # If _PC_CHOWN_RESTRICTED is not set, does the full test of each
+@@ -737,18 +737,16 @@ sub _is_verysafe {
+ 
+   my $err_ref = shift;
+ 
+-  # Should Get the value of _PC_CHOWN_RESTRICTED if it is defined
+-  # and If it is not there do the extensive test
++  # Should get the value of _PC_CHOWN_RESTRICTED if it is defined
++  # and if it is not there, do the extensive test
+   local($@);
+-  my $chown_restricted;
+-  $chown_restricted = &POSIX::_PC_CHOWN_RESTRICTED()
+-    if eval { &POSIX::_PC_CHOWN_RESTRICTED(); 1};
++  my $chown_restricted = eval { POSIX::_PC_CHOWN_RESTRICTED() };
+ 
+-  # If chown_resticted is set to some value we should test it
++  # If chown_restricted is set to some value, we should test it
+   if (defined $chown_restricted) {
+ 
+     # Return if the current directory is safe
+-    return _is_safe($path,$err_ref) if POSIX::sysconf( $chown_restricted );
++    return _is_safe($path, $err_ref) if POSIX::pathconf( $path, $chown_restricted );
+ 
+   }
+ 
+@@ -2367,7 +2365,7 @@ for sticky bit.
+ 
+ In addition to the MEDIUM security checks, also check for the
+ possibility of ``chown() giveaway'' using the L<POSIX|POSIX>
+-sysconf() function. If this is a possibility, each directory in the
++pathconf() function. If this is a possibility, each directory in the
+ path is checked in turn for safeness, recursively walking back to the
+ root directory.
+ 
+