!109 [sync] PR-106: Fix CVE-2023-47039

From: @openeuler-sync-bot 
Reviewed-by: @openeuler-basic 
Signed-off-by: @openeuler-basic

backport-CVE-2023-31484.patch

@@ -0,0 +1,25 @@
+From 9c98370287f4e709924aee7c58ef21c85289a7f0 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist <git@stig.io>
+Date: Tue, 28 Feb 2023 11:54:06 +0100
+Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
+ identity
+
+---
+ cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+index 4fc792c..a616fee 100644
+--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
++++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+@@ -32,6 +32,7 @@ sub mirror {
+ 
+     my $want_proxy = $self->_want_proxy($uri);
+     my $http = HTTP::Tiny->new(
++        verify_SSL => 1,
+         $want_proxy ? (proxy => $self->{proxy}) : ()
+     );
+ 
+-- 
+2.33.0
+

backport-CVE-2023-31486.patch

@@ -0,0 +1,84 @@
+From 1490431e40e22052f75a0b3449f1f53cbd27ba92 Mon Sep 17 00:00:00 2001
+From: Dominic Hargreaves <dom@earth.li>
+Date: Thu, 21 May 2020 22:53:37 +0100
+Subject: [PATCH] Enable SSL by default in HTTP::Tiny
+
+HTTP::Tiny 0.082, a Perl core module since 5.13.9 and available standalone on CPAN,
+has an insecure default TLS configuration where users must opt in to verify certificates.
+
+Reference: https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92.patch
+Conflict:NA
+---
+ cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+index 5803e4599f01..5970b6e225f3 100644
+--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
++++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+@@ -40,7 +40,7 @@ sub _croak { require Carp; Carp::croak(@_) }
+ #pod * C<timeout> — Request timeout in seconds (default is 60) If a socket open,
+ #pod   read or write takes longer than the timeout, an exception is thrown.
+ #pod * C<verify_SSL> — A boolean that indicates whether to validate the SSL
+-#pod   certificate of an C<https> — connection (default is false)
++#pod   certificate of an C<https> — connection (default is true)
+ #pod * C<SSL_options> — A hashref of C<SSL_*> — options to pass through to
+ #pod   L<IO::Socket::SSL>
+ #pod
+@@ -112,7 +112,7 @@ sub new {
+         max_redirect => 5,
+         timeout      => defined $args{timeout} ? $args{timeout} : 60,
+         keep_alive   => 1,
+-        verify_SSL   => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default
++        verify_SSL   => $args{verify_SSL} // $args{verify_ssl} // 1, # verification by default
+         no_proxy     => $ENV{no_proxy},
+     };
+ 
+@@ -1038,7 +1038,7 @@ sub new {
+         timeout          => 60,
+         max_line_size    => 16384,
+         max_header_lines => 64,
+-        verify_SSL       => 0,
++        verify_SSL       => 1,
+         SSL_options      => {},
+         %args
+     }, $class;
+@@ -1765,7 +1765,7 @@ C<timeout> — Request timeout in seconds (default is 60) If a socket open, read
+ 
+ =item *
+ 
+-C<verify_SSL> — A boolean that indicates whether to validate the SSL certificate of an C<https> — connection (default is false)
++C<verify_SSL> — A boolean that indicates whether to validate the SSL certificate of an C<https> — connection (default is true)
+ 
+ =item *
+ 
+@@ -2035,7 +2035,7 @@ Verification of server identity
+ 
+ =back
+ 
+-B<By default, HTTP::Tiny does not verify server identity>.
++B<By default, HTTP::Tiny verifies server identity>.
+ 
+ Server identity verification is controversial and potentially tricky because it
+ depends on a (usually paid) third-party Certificate Authority (CA) trust model
+@@ -2043,16 +2043,14 @@ to validate a certificate as legitimate.  This discriminates against servers
+ with self-signed certificates or certificates signed by free, community-driven
+ CA's such as L<CAcert.org|http://cacert.org>.
+ 
+-By default, HTTP::Tiny does not make any assumptions about your trust model,
+-threat level or risk tolerance.  It just aims to give you an encrypted channel
+-when you need one.
+-
+ Setting the C<verify_SSL> attribute to a true value will make HTTP::Tiny verify
+ that an SSL connection has a valid SSL certificate corresponding to the host
+ name of the connection and that the SSL certificate has been verified by a CA.
+ Assuming you trust the CA, this will protect against a L<man-in-the-middle
+-attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>.  If you are
+-concerned about security, you should enable this option.
++attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>.
++
++If you are not concerned about security, and this default causes
++problems, you should disable this option.
+ 
+ Certificate verification requires a file containing trusted CA certificates.
+ 

backport-CVE-2023-47039.patch

@@ -0,0 +1,196 @@
+From 906e92715f4ee68ea95086867f4f97b1f4f10ac3 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 3 Oct 2023 09:40:07 +1100
+Subject: [PATCH] win32: default the shell to cmd.exe in the Windows system
+ directory
+ 
+This prevents picking up cmd.exe from the current directory, or
+even from the PATH.
+ 
+This protects against a privilege escalation attack where an attacker
+in a separate session creates a cmd.exe in a directory where the
+target account happens to have its current directory.
+ 
+---
+ t/win32/system.t | 30 ++++++++++++---------
+ win32/win32.c    | 70 +++++++++++++++++++++++++++++++++++++++++-------
+ 2 files changed, 78 insertions(+), 22 deletions(-)
+
+diff --git a/t/win32/system.t b/t/win32/system.t
+index 939a02d..c885059 100644
+--- a/t/win32/system.t
++++ b/t/win32/system.t
+@@ -82,6 +82,7 @@ close $F;
+ chdir($testdir);
+ END {
+     chdir($cwd) && rmtree("$cwd/$testdir") if -d "$cwd/$testdir";
++    unlink "cmd.exe";
+ }
+ if (open(my $EIN, "$cwd/win32/${exename}_exe.uu")) {
+     note "Unpacking $exename.exe";
+@@ -104,21 +105,20 @@ else {
+      }
+     note "Compiling $exename.c";
+     note "$Config{cc} $Config{ccflags} $exename.c";
+-    if (system("$Config{cc} $Config{ccflags} $minus_o $exename.c >log 2>&1") != 0) {
++    if (system("$Config{cc} $Config{ccflags} $minus_o $exename.c >log 2>&1") != 0 ||
++        !-f "$exename.exe") {
+ 	note "Could not compile $exename.c, status $?";
+-    note "Where is your C compiler?";
+-    skip_all "can't build test executable";
+-    }
+-    unless (-f "$exename.exe") {
+-	if (open(LOG,'<log'))
+-         {
+-          while(<LOG>) {
+-              note $_;
+-          } 
+-         }
++        note "Where is your C compiler?";
++        if (open(LOG,'<log'))
++        {
++            while(<LOG>) {
++                note $_;
++            }
++        }
+         else {
+-	  warn "Cannot open log (in $testdir):$!";
++            warn "Cannot open log (in $testdir):$!";
+         }
++        skip_all "can't build test executable";
+     }
+ }
+ copy("$plxname.bat","$plxname.cmd");
+@@ -128,6 +128,12 @@ unless (-x "$testdir/$exename.exe") {
+     skip_all "can't build test executable";
+ }
+ 
++# test we only look for cmd.exe in the standard place
++delete $ENV{PERLSHELL};
++copy("$testdir/$exename.exe", "$testdir/cmd.exe") or die $!;
++copy("$testdir/$exename.exe", "cmd.exe") or die $!;
++$ENV{PATH} = qq("$testdir";$ENV{PATH});
++
+ open my $T, "$^X -I../lib -w win32/system_tests |"
+     or die "Can't spawn win32/system_tests: $!";
+ my $expect;
+diff --git a/win32/win32.c b/win32/win32.c
+index c7656c6..dee8831 100644
+--- a/win32/win32.c
++++ b/win32/win32.c
+@@ -127,7 +127,7 @@ static char*	win32_get_xlib(const char *pl,
+ 
+ static BOOL	has_shell_metachars(const char *ptr);
+ static long	tokenize(const char *str, char **dest, char ***destv);
+-static void	get_shell(void);
++static int	get_shell(void);
+ static char*	find_next_space(const char *s);
+ static int	do_spawn2(pTHX_ const char *cmd, int exectype);
+ static int	do_spawn2_handles(pTHX_ const char *cmd, int exectype,
+@@ -591,7 +591,13 @@ tokenize(const char *str, char **dest, char ***destv)
+     return items;
+ }
+ 
+-static void
++static const char
++cmd_opts[] = "/x/d/c";
++
++static const char
++shell_cmd[] = "cmd.exe";
++
++static int
+ get_shell(void)
+ {
+     dTHX;
+@@ -603,12 +609,53 @@ get_shell(void)
+ 	 *     interactive use (which is what most programs look in COMSPEC
+ 	 *     for).
+ 	 */
+-	const char* defaultshell = "cmd.exe /x/d/c";
+-	const char *usershell = PerlEnv_getenv("PERL5SHELL");
+-	w32_perlshell_items = tokenize(usershell ? usershell : defaultshell,
+-				       &w32_perlshell_tokens,
+-				       &w32_perlshell_vec);
++        const char *shell = PerlEnv_getenv("PERL5SHELL");
++        if (shell) {
++            w32_perlshell_items = tokenize(shell,
++                                           &w32_perlshell_tokens,
++                                           &w32_perlshell_vec);
++        }
++        else {
++            /* tokenize does some Unix-ish like things like
++               \\ escaping that don't work well here
++            */
++            char shellbuf[MAX_PATH];
++            UINT len = GetSystemDirectoryA(shellbuf, sizeof(shellbuf));
++            if (len == 0) {
++                translate_to_errno();
++                return -1;
++            }
++            else if (len >= MAX_PATH) {
++                /* buffer too small */
++                errno = E2BIG;
++                return -1;
++            }
++            if (shellbuf[len-1] != '\\') {
++                my_strlcat(shellbuf, "\\", sizeof(shellbuf));
++                ++len;
++            }
++            if (len + sizeof(shell_cmd) > sizeof(shellbuf)) {
++                errno = E2BIG;
++                return -1;
++            }
++            my_strlcat(shellbuf, shell_cmd, sizeof(shellbuf));
++            len += sizeof(shell_cmd)-1;
++
++            Newx(w32_perlshell_vec, 3, char *);
++            Newx(w32_perlshell_tokens, len + 1 + sizeof(cmd_opts), char);
++
++            my_strlcpy(w32_perlshell_tokens, shellbuf, len+1);
++            my_strlcpy(w32_perlshell_tokens + len +1, cmd_opts,
++                       sizeof(cmd_opts));
++
++            w32_perlshell_vec[0] = w32_perlshell_tokens;
++            w32_perlshell_vec[1] = w32_perlshell_tokens + len + 1;
++            w32_perlshell_vec[2] = NULL;
++
++            w32_perlshell_items = 2;
++        }
+     }
++    return 0;
+ }
+ 
+ int
+@@ -626,7 +673,8 @@ Perl_do_aspawn(pTHX_ SV *really, SV **mark, SV **sp)
+     if (sp <= mark)
+ 	return -1;
+ 
+-    get_shell();
++    if (get_shell() < 0)
++        return -1;
+     Newx(argv, (sp - mark) + w32_perlshell_items + 2, char*);
+ 
+     if (SvNIOKp(*(mark+1)) && !SvPOKp(*(mark+1))) {
+@@ -756,7 +804,8 @@ do_spawn2_handles(pTHX_ const char *cmd, int exectype, const int *handles)
+     if (needToTry) {
+ 	char **argv;
+ 	int i = -1;
+-	get_shell();
++    if (get_shell() < 0)
++        return -1;
+ 	Newx(argv, w32_perlshell_items + 2, char*);
+ 	while (++i < w32_perlshell_items)
+ 	    argv[i] = w32_perlshell_vec[i];
+@@ -2960,7 +3009,8 @@ win32_pipe(int *pfd, unsigned int size, int mode)
+ DllExport PerlIO*
+ win32_popenlist(const char *mode, IV narg, SV **args)
+ {
+-    get_shell();
++    if (get_shell() < 0)
++        return NULL;
+ 
+     return do_popen(mode, NULL, narg, args);
+ }
+-- 
+2.33.0
+

perl.spec

@@ -18,7 +18,7 @@ Name:           perl
 License:        (GPL+ or Artistic) and (GPLv2+ or Artistic) and MIT and UCD and Public Domain and BSD
 Epoch:          4
 Version:        5.28.3
-Release:        6
+Release:        10
 Summary:        A highly capable, feature-rich programming language
 Url:            https://www.perl.org/
 Source0:        https://www.cpan.org/src/5.0/%{name}-%{version}.tar.xz
@@ -55,11 +55,14 @@ Patch25:        perl-132683-don-t-try-to-convert-PL_sv_placeholder-i.patch
 # In 2020, a year of 70 starts to mean 2070. So cpan/Time-Local/t/Local.t test
 Patch27:        Fix-time-local-tests-in-2020.patch
 Patch28:        backport-perl-5.22.0-Install-libperl.so-to-shrpdir-on-Linux.patch
+Patch29:        backport-CVE-2023-31484.patch
+Patch30:        backport-CVE-2023-47039.patch
 
 
 %ifarch aarch64_ilp32
-Patch29:      backport-aarch64-ilp32-support.patch
+Patch30:      backport-aarch64-ilp32-support.patch
 %endif
+patch31:      backport-CVE-2023-31486.patch
 
 BuildRequires:  gcc bash findutils coreutils make tar procps bzip2-devel gdbm-devel
 BuildRequires:  zlib-devel systemtap-sdt-devel perl-interpreter perl-generators gdb
@@ -211,7 +214,6 @@ ln -s ../../../bin/xsubpp %{buildroot}%{perl_datadir}/ExtUtils/
 
 rm %{buildroot}%{perl_libdir}/.packlist
 
-# bug #973713
 rm %{buildroot}/%{perl_libdir}/File/Spec/VMS.pm
 rm %{buildroot}%{_mandir}/man3/File::Spec::VMS.3*
 
@@ -514,7 +516,22 @@ make test_harness
 %{_mandir}/man3/*
 
 %changelog
-* Thu Mar 30 2021 shenyangyang<shenyangyang4@huawei.com> - 4:5.28.3-6
+* Fri Dec 8 2023 hongjinghao <hongjinghao@huawei.com> - 4:5.28.3-10
+- fix CVE-2023-47039
+
+* Mon Jun 26 2023 yangmingtai <yangmingtai@huawei.com> - 4:5.28.3-9
+- fix CVE-2023-31486
+
+* Tue May 16 2023 dongyuzhen <dongyuzhen@h-partners.com> -  4:5.28.3-8
+- fix CVE-2023-31484
+
+* Thu Aug 5 2021 yuanxin<yuanxin24@huawei.com> - 4:5.28.3-7
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:remove other release-related information
+
+* Tue Mar 30 2021 shenyangyang<shenyangyang4@huawei.com> - 4:5.28.3-6
 - Type:bugfix
 - ID:NA
 - SUG:NA
@@ -581,7 +598,7 @@ make test_harness
 - SUG:NA
 - DESC:add macros that used for perl
 
-* Fri Jan 2 2020 openEuler Buildteam <buildteam@openeuler.org> - 4:5.28.0-430
+* Thu Jan 2 2020 openEuler Buildteam <buildteam@openeuler.org> - 4:5.28.0-430
 - Type:NA
 - ID:NA
 - SUG:NA