ext/threads-shared/t/stress.t | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 raise the timeout of ext/threads/shared/t/stress.t to accommodate slower build hosts
Bug-Debian: http://bugs.debian.org/501970

lib/CPAN/HandleConfig.pm | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 set location of cpan::config to /etc/perl as /usr may not be writable.

lib/CPAN/FirstTime.pm | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 provide a sensible installdirs default for modules installed from cpan.

Some modules which are included in core set INSTALLDIRS => 'perl'
explicitly in Makefile.PL or Build.PL.  This makes sense for the normal @INC
ordering, but not ours.

ext/DB_File/version.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 remove overly restrictive db_file version check.
Bug-Debian: http://bugs.debian.org/340047

Package dependencies ensure the correct library is linked at run-time.

pod/perl.pod | 30 7 + 23 - 0 !
1 file changed, 7 insertions(+), 23 deletions(-)

 replace generic man(1) instructions with debian-specific information.

Indicate that the user needs to install the perl-doc package.

ext/Encode/bin/enc2xs | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 tweak enc2xs to follow symlinks and ignore missing @inc directories.
Bug-Debian: http://bugs.debian.org/290336

- ignore missing directories,
- follow symlinks (/usr/share/perl/5.8 -> 5.8.4).

ext/Errno/Errno_pm.PL | 5 0 + 5 - 0 !
1 file changed, 5 deletions(-)

 remove errno version check due to upgrade problems with long-running processes.
Bug-Debian: http://bugs.debian.org/343351

Remove version check which can cause problems for long running
processes embedding perl when upgrading to a newer version,

lib/ExtUtils/Embed.pm | 3 3 + 0 - 0 !
lib/ExtUtils/Install.pm | 18 9 + 9 - 0 !
lib/ExtUtils/MM_Any.pm | 12 6 + 6 - 0 !
lib/ExtUtils/MM_Unix.pm | 44 10 + 34 - 0 !
lib/ExtUtils/t/INST.t | 4 1 + 3 - 0 !
lib/ExtUtils/t/INST_PREFIX.t | 10 5 + 5 - 0 !
6 files changed, 34 insertions(+), 57 deletions(-)

 various debian-specific extutils changes

 * Respect umask during installation, and set as appropriate for each of
   perl, vendor and site (policy requires group writable site dirs).

 * Don't install .packlist or perllocal.pod for perl or vendor.
 * Fiddle with *PREFIX and variables written to the makefile so that
   install directories may be changed when make is run by passing
   PREFIX= to the "make install" command (used when packaging
   modules).

 * Set location of libperl.a to /usr/lib.
 * Note that libperl-dev package is required for embedded linking.
 * Change install target dependencies to facilitate parallel makes.

Makefile.SH | 9 2 + 7 - 0 !
1 file changed, 2 insertions(+), 7 deletions(-)

 postpone ld_library_path evaluation to the binary targets.

Modify the setting of LD_LIBRARY_PATH to append pre-existing values at the
time the rule is evaluated rather than when the Makefile is created.

This is required when building packages with dpkg-buildpackage and fakeroot,
since fakeroot (which now sets LD_LIBRARY_PATH) is not used for the "build"
rule where the Makefile is created, but is for the clean/binary* targets.

lib/ExtUtils/instmodsh | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 debian policy doesn't install .packlist files for core or vendor.

lib/ExtUtils/Liblist/Kid.pm | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 remove standard libs from ld_run_path as per debian policy.

lib/Net/Config.pm | 7 3 + 4 - 0 !
1 file changed, 3 insertions(+), 4 deletions(-)

 set location of libnet.cfg to /etc/perl/net as /usr may not be writable.

ext/threads-shared/t/stress.t | 4 4 + 0 - 0 !
ext/threads-shared/t/waithires.t | 6 6 + 0 - 0 !
2 files changed, 10 insertions(+)

 disable some threads tests on m68k for now due to missing tls.
Closes: #495826, #517938

perl.c | 62 62 + 0 - 0 !
1 file changed, 62 insertions(+)

 tweak @inc ordering for debian

Our order is:

    etc (for config files)
    site (5.8.1)
    vendor (all)
    core (5.8.1)
    site (version-indep)
    site (pre-5.8.1)

The rationale being that an admin (via site), or module packager
(vendor) can chose to shadow core modules when there is a newer
version than is included in core.

lib/Module/Build/Base.pm | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 adjust module::build manual page extensions for the debian perl policy
Bug-Debian: http://bugs.debian.org/479460

pod/perl.pod | 64 32 + 32 - 0 !
1 file changed, 32 insertions(+), 32 deletions(-)

 rearrange perl.pod
Bug-Debian: http://bugs.debian.org/278323

The TOC in perl.pod should probably not be in the synopsis.

Note the debian/ prefix rather than fixes/ since upstream doesn't agree.

Configure | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 prune the list of libraries wanted to what we actually need.
Bug-Debian: http://bugs.debian.org/128355

We want to keep the dependencies on perl-base as small as possible,
and some of the original list may be present on buildds (see Bug#128355).

ext/NDBM_File/hints/linux.pl | 5 1 + 4 - 0 !
ext/ODBM_File/hints/linux.pl | 8 1 + 7 - 0 !
2 files changed, 2 insertions(+), 11 deletions(-)

 explicitly link against -lgdbm_compat in odbm_file/ndbm_file. 

Explicitly link against -lgdbm_compat.

lib/Math/BigInt/CalcEmu.pm | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 math::bigint::calcemu documentation grammar fix
Bug-Debian: http://bugs.debian.org/443733

lib/Net/SMTP.pm | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 document the net::smtp 'port' option
Bug-Debian: http://bugs.debian.org/100195
Bug: http://rt.cpan.org/Public/Bug/Display.html?id=36038

lib/ExtUtils/MM_Unix.pm | 5 1 + 4 - 0 !
1 file changed, 1 insertion(+), 4 deletions(-)

 always use perlruninst when building perl modules.
Bug-Debian: http://bugs.debian.org/357264
Bug: http://rt.cpan.org/Public/Bug/Display.html?id=17224

Revert part of upstream change 24524 to always use PERLRUNINST when
building perl modules:  Some PDL demos expect blib to be implicitly
searched.

utils/perlivp.PL | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 make perlivp skip include directories in /usr/local
Closes: 510895

On Sat, Jan 10, 2009 at 12:37:18AM +1100, Brendan O'Dea wrote:
> On Wed, Jan 7, 2009 at 12:21 AM, Niko Tyni <ntyni@debian.org> wrote:

> > We could create the directories in a postinst script, but I'm not sure
> > I see the point. They will be created automatically when installing
> > CPAN modules.
>
> The directories are intentionally not created, as this way they are
> excluded from the search path at start-up, saving a bunch of wasted
> stats at use/require time in the common case that the user has not
> installed any local packages.  As Niko points out, they will be
> created as required.


Signed-off-by: Niko Tyni <ntyni@debian.org>

lib/Pod/Man.pm | 1 1 + 0 - 0 !
lib/Pod/t/man.t | 11 10 + 1 - 0 !
2 files changed, 11 insertions(+), 1 deletion(-)

 escape backslashes in .ix entries
Bug-Debian: http://bugs.debian.org/521256

ext/Compress-Raw-Zlib/config.in | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 disable zlib bundling in compress::raw::zlib

Compress::Raw::Zlib statically links its bundled version of zlib
by default, but we use the system library instead.

Configure | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 add gcc predefined macros to $config{cppsymbols} on gnu/kfreebsd.
Bug-Debian: http://bugs.debian.org/533098

lib/CPANPLUS/Config/System.pm | 30 30 + 0 - 0 !
1 file changed, 30 insertions(+)

 configure cpanplus to use the site directories by default.
Closes: 533707
    
The core modules usually default to INSTALLDIRS=perl (ExtUtils::MakeMaker)
or installdirs=core (Module::Build), so we need to explicitly ask for
the site destination to get upgraded versions into /usr/local.

See also the sister patch, debian/cpan_definstalldirs .

lib/CPANPLUS/Configure.pm | 1 1 + 0 - 0 !
lib/CPANPLUS/Internals/Constants.pm | 3 3 + 0 - 0 !
2 files changed, 4 insertions(+)

 save local versions of cpanplus::config::system into /etc/perl.
    
This is a configuration file and needs to go in /etc by policy.
Besides, /usr may not even be writable.
    
This mirrors the Debian setup of CPAN.pm in debian/cpan_config_path.

See #533707.

lib/File/Copy.pm | 2 1 + 1 - 0 !
lib/File/Copy.t | 15 14 + 1 - 0 !
2 files changed, 15 insertions(+), 2 deletions(-)

 fix file::copy::copy with pipes on gnu/kfreebsd
Bug-Debian: http://bugs.debian.org/537555

perlio.c | 20 16 + 4 - 0 !
t/io/perlio.t | 15 14 + 1 - 0 !
2 files changed, 30 insertions(+), 5 deletions(-)

 honor tmpdir when open()ing an anonymous temporary file
Bug-Debian: http://bugs.debian.org/528544
Bug: http://rt.perl.org/rt3/Public/Bug/Display.html?id=66452

[perl #66452]

As reported by Norbert Buchmuller <norbi@nix.hu>, opening an anonymous
temporary file with the magical open($fh, '+>', undef) ignores TMPDIR.

ext/Socket/Socket.xs | 33 24 + 9 - 0 !
ext/Socket/t/Socket.t | 14 12 + 2 - 0 !
2 files changed, 36 insertions(+), 11 deletions(-)

 add support for abstract namespace sockets.
Bug-Debian: http://bugs.debian.org/490660
Bug-Debian: http://bugs.debian.org/329291

Configure | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 add gcc predefined macros to $config{cppsymbols} on gnu/hurd.
Bug-Debian: http://bugs.debian.org/544307

lib/Fatal.pm | 14 13 + 1 - 0 !
lib/autodie/t/flock.t | 12 10 + 2 - 0 !
2 files changed, 23 insertions(+), 3 deletions(-)

 allow for flock returning eagain instead of ewouldblock on linux/parisc
Bug-Debian: http://bugs.debian.org/543731

lib/Archive/Tar.pm | 17 15 + 2 - 0 !
lib/Archive/Tar/t/06_error.t | 39 39 + 0 - 0 !
2 files changed, 54 insertions(+), 2 deletions(-)

 separate archive::tar instance error strings from each other
Bug-Debian: http://bugs.debian.org/539355
Bug: http://rt.cpan.org/Public/Bug/Display.html?id=48879

Included upstream in Archive-Tar-1.54.

regexec.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 fix \g crash on first match
Bug-Debian: http://bugs.debian.org/545234
Bug: http://rt.perl.org/rt3/Public/Bug/Display.html?id=69056

ext/Devel-PPPort/Makefile.PL | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 work around an ice on ia64
Closes: 548943

Temporarily work around an internal compiler error in Devel::PPPort
on ia64+gcc-4.3.

ext/re/t/regop.t | 12 6 + 6 - 0 !
regcomp.c | 17 11 + 6 - 0 !
regexec.c | 9 2 + 7 - 0 !
3 files changed, 19 insertions(+), 19 deletions(-)

 fix a dos in unicode processing [cve-2009-3626]
Bug-Debian: http://bugs.debian.org/552291
Bug: http://rt.perl.org/rt3/Public/Bug/Display.html?id=69973

ext/threads-shared/t/stress.t | 28 24 + 4 - 0 !
1 file changed, 24 insertions(+), 4 deletions(-)

 make the threads-shared test suite more robust, fixing failures on hppa
Closes: 554218

Fix from threads-shared-1.31:
 Handle thread creation failures in tests due to lack of memory, etc.

sv.c | 3 2 + 1 - 0 !
t/op/method.t | 11 10 + 1 - 0 !
2 files changed, 12 insertions(+), 2 deletions(-)

 fix a null pointer dereference when looking for a destroy method
Bug-Debian: http://bugs.debian.org/564074
Bug: http://rt.perl.org/rt3/Public/Bug/Display.html?id=71952

mg.c | 2 2 + 0 - 0 !
t/op/magic.t | 8 7 + 1 - 0 !
t/op/taint.t | 13 12 + 1 - 0 !
3 files changed, 21 insertions(+), 2 deletions(-)

 fix an errno stringification bug in taint mode
Bug-Debian: http://bugs.debian.org/574129
Bug: http://rt.perl.org/rt3/Public/Bug/Display.html?id=61976

ext/Safe/Safe.pm | 290 217 + 73 - 0 !
ext/Safe/t/safe1.t | 4 0 + 4 - 0 !
ext/Safe/t/safe2.t | 4 0 + 4 - 0 !
ext/Safe/t/safe3.t | 4 0 + 4 - 0 !
ext/Safe/t/safeload.t | 4 0 + 4 - 0 !
ext/Safe/t/safeops.t | 8 2 + 6 - 0 !
ext/Safe/t/safesort.t | 61 61 + 0 - 0 !
ext/Safe/t/safeuniversal.t | 13 5 + 8 - 0 !
ext/Safe/t/safeutf8.t | 46 46 + 0 - 0 !
ext/Safe/t/safewrap.t | 39 39 + 0 - 0 !
10 files changed, 370 insertions(+), 103 deletions(-)

 upgrade safe.pm to 2.25, fixing cve-2010-1974
Bug-Debian: http://bugs.debian.org/582978

pp_sys.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 fix a tell() crash on bad arguments.
Bug-Debian: http://bugs.debian.org/578577

MANIFEST | 1 1 + 0 - 0 !
perly.act | 284 145 + 139 - 0 !
perly.tab | 30 15 + 15 - 0 !
perly.y | 8 7 + 1 - 0 !
t/comp/form_scope.t | 18 18 + 0 - 0 !
5 files changed, 186 insertions(+), 155 deletions(-)

 fix a crash in format/write
Bug-Debian: http://bugs.debian.org/579537
Bug: http://rt.perl.org/rt3/Public/Bug/Display.html?id=22977

Configure | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 prevent gcc from optimizing the alignment test away on armel
Bug-Debian: http://bugs.debian.org/289884

lib/CGI/t/fast.t | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix a failure in cgi/t/fast.t when fcgi is installed

hints/gnu.sh | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 make hints/gnu.sh append to $ccflags rather than overriding them
Bug-Debian: http://bugs.debian.org/587901

Don't override possible extra $ccflags values given to Configure
on GNU/Hurd.

locale.c | 4 4 + 0 - 0 !
pod/perllocale.pod | 8 8 + 0 - 0 !
2 files changed, 12 insertions(+)

 squelch locale warnings in debian package maintainer scripts
Bug-Debian: http://bugs.debian.org/508764

The system locales are rather frequently out of sync with the C library
during package upgrades, causing a huge amount of useless Perl locale
warnings. Squelch them when running package maintainer scripts, detected
by the DPKG_RUNNING_VERSION environment variable.

Any real locale problem will show up after the system upgrade too, and
the warning will be triggered normally again at that point.

pod/perlform.pod | 20 8 + 12 - 0 !
pod/perllocale.pod | 15 6 + 9 - 0 !
2 files changed, 14 insertions(+), 21 deletions(-)

 lc_numeric documentation fixes
Bug-Debian: http://bugs.debian.org/379329
Bug: http://rt.perl.org/rt3/Ticket/Display.html?id=78452

op.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fix sprintf not to ignore lc_numeric with constants
Bug-Debian: http://bugs.debian.org/601549
Bug: http://rt.perl.org/rt3/Ticket/Display.html?id=78632

pp_hot.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 fix stack pointer corruption in pp_concat() with 'use encoding'
Bug-Debian: http://bugs.debian.org/596105
Bug: http://rt.perl.org/rt3/Ticket/Display.html?id=78674

MANIFEST | 2 2 + 0 - 0 !
lib/CGI.pm | 26 25 + 1 - 0 !
lib/CGI/t/headers.t | 47 47 + 0 - 0 !
lib/CGI/t/multipart_init.t | 20 20 + 0 - 0 !
4 files changed, 94 insertions(+), 1 deletion(-)

 [cve-2010-2761 cve-2010-4410 cve-2010-4411] cgi.pm mime boundary and multiline header vulnerabilities

pp.c | 7 6 + 1 - 0 !
t/op/taint.t | 15 14 + 1 - 0 !
2 files changed, 20 insertions(+), 2 deletions(-)

 fix unwanted taint laundering in lc(), uc() et al.

Upstream patch ported to 5.12 by Marcela Malov <mmaslano@redhat.com>

Tests modified by Niko Tyni <ntyni@debian.org> to actually fail without
the patch.

ext/Safe/Safe.pm | 8 5 + 3 - 0 !
1 file changed, 5 insertions(+), 3 deletions(-)

 [patch] wrap by default coderefs returned by rdo and reval

ext/Encode/Unicode/Unicode.xs | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] fix decode_xs n-byte heap-overflow security bug in
 Unicode.xs

lib/Digest.pm | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 close the eval "require $module" security hole in
 Digest->new($algorithm)

Also the filter was incomplete.

Bug-Debian: http://bugs.debian.org/644108

miniperlmain.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch] main: unregister signal handler before destroying my_perl

If the signal handler runs after perl_destruct() has been called, it
will get an invalid (or NULL) my_perl when it asks for the
thread-specific interpreter struct.  This patch resets the signal
handler for any signal previously handled by PL_csighandlerp to SIG_DFL
before calling perl_destruct().

util.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 avoid calling memset with a negative count
X-Git-Tag: v5.14.3-RC2~3

lib/CGI.pm | 26 13 + 13 - 0 !
lib/CGI/t/headers.t | 6 6 + 0 - 0 !
2 files changed, 19 insertions(+), 13 deletions(-)

 [patch 1/4] cr escaping for p3p header

ext/Storable/Storable.pm | 32 32 + 0 - 0 !
1 file changed, 32 insertions(+)

 [patch] add a note about security concerns in storable

Storable is not a great way to pass data back and forth across security
boundaries.  We have discussed the security implications of the
auto-loading and auto-blessing behaviors in Storable in the past, both
on the perl5-porters mailing list and at various conferences.  Somehow,
though, these "well-known" probably have never actually been put into
the documentation.  This patch corrects that.

The original version of this patch included a recommendation to use
Sereal in its most stringent configuration, but that text was removed
for the time being by Ricardo Signes, who hopes to add it back once
Sereal has been in public use for just a bit longer.

lib/Locale/Maketext/Guts.pm | 24 8 + 16 - 0 !
1 file changed, 8 insertions(+), 16 deletions(-)

 fix misparsing of maketext strings.

Case 61251: This commit fixes a misparse of maketext strings that could
lead to arbitrary code execution.  Basically, maketext was compiling
bracket notation into functions, but neglected to escape backslashes
inside the content or die on fully-qualified method names when
generating the code.  This change escapes all such backslashes and dies
when a method name with a colon or apostrophe is specified.

Backported to 5.10.1 by Dominic Hargreaves.

Bug-Debian: http://bugs.debian.org/695224

ext/Hash-Util-FieldHash/t/10_hash.t | 18 16 + 2 - 0 !
hv.c | 26 6 + 20 - 0 !
t/op/hash.t | 20 17 + 3 - 0 !
3 files changed, 39 insertions(+), 25 deletions(-)

 [patch] prevent premature hsplit() calls, and only trigger rehash
 after hsplit()

Triggering a hsplit due to long chain length allows an attacker
to create a carefully chosen set of keys which can cause the hash
to use 2 * (2**32) * sizeof(void *) bytes ram. AKA a DOS via memory
exhaustion. Doing so also takes non trivial time.

Eliminating this check, and only inspecting chain length after a
normal hsplit() (triggered when keys>buckets) prevents the attack
entirely, and makes such attacks relatively benign.

(cherry picked from commit f2a571dae7d70f7e3b59022834d8003ecd2df884)
(which was itself cherry picked (with changes) from commit f1220d61455253b170e81427c9d0357831ca0fac)