Path to this page:
Subject: CVS commit: [pkgsrc-2011Q3] pkgsrc/devel/p5-PAR
From: Matthias Scheler
Date: 2011-12-07 09:33:11
Message id: 20111207083311.CA48C175DD@cvs.netbsd.org
Log Message:
Pullup ticket #3625 - requested by gls
devel/p5-PAR: security update
Revisions pulled up:
- devel/p5-PAR/Makefile 1.17
- devel/p5-PAR/distinfo 1.7
---
Module Name: pkgsrc
Committed By: gls
Date: Sun Dec 4 20:52:25 UTC 2011
Modified Files:
pkgsrc/devel/p5-PAR: Makefile distinfo
Log Message:
Update devel/p5-PAR to 1.005.
Includes a fix for CVE 2011-4114.
Upstream changes:
[Changes for 1.005 - Dec 2, 2011]
- run all tests using a nonce PAR_TMPDIR (otherwise CPAN Testers
goes crazy as top level /tmp/par-USER directories (or similar)
from previous tests may now be considered "unsafe")
[Changes for 1.004 - Nov 30, 2011]
- back out r1241: it causes errors in PAR::Packer's test suite
- change "unsafe directory" error message to match the wording
used by PAR::Packer
- remove "debian" sub directory: it isn't released to CPAN and
Debian will supply its own anyway
- remove some cruft from MANIFEST.SKIP
[Changes for 1.003 - Nov 28, 2011]
- RT #69560/CVE-2011-4114: PAR packed files are extracted to unsafe
and predictable temporary directories
(Note: this bug was originally reported against PAR::Packer, but
it applies to PAR as well)
- create parent of cache directory (i.e. /tmp/par-USER) with mode 0700
- if it already exists, make sure that (and bail out if not)
- it's not a symlink
- it's mode 0700
- it's owned by USER
- Fix a problem packing XML::LibXSLT on Windows (see the thread starting
with http://www.nntp.perl.org/group/perl.par/2011/02/msg4919.html)
- Die (with a hopefully useful message) if any error is encountered
during an Archive::Zip extract operation
Files: