From 83e7ebed7afa79a2f50eca6b6330eae7c3a02d36 Mon Sep 17 00:00:00 2001
From: Tony Cook <>
Date: Wed, 27 Jan 2016 11:52:15 +1100
Subject: remove duplicate environment variables from environ
If we see duplicate environment variables while iterating over
a) make sure we use the same value in %ENV that getenv() returns.
Previously on a duplicate, %ENV would have the last entry for the name
from environ[], but a typical getenv() would return the first entry.
Rather than assuming all getenv() implementations return the first entry
explicitly call getenv() to ensure they agree.
b) remove duplicate entries from environ
Previously if there was a duplicate definition for a name in environ[]
setting that name in %ENV could result in an unsafe value being passed
to a child process, so ensure environ[] has no duplicates.
Patch-Name: fixes/CVE-2016-2381_duplicate_env.diff
if (env) {
char *s, *old_var;
+ STRLEN nlen;
SV *sv;
+ HV *dups = newHV();
for (; *env; env++) {
old_var = *env;
if (!(s = strchr(old_var,'=')) || s == old_var)
+ nlen = s - old_var;
#if defined(MSDOS) && !defined(DJGPP)
*s = '\0';
*s = '=';
- sv = newSVpv(s+1, 0);
- (void)hv_store(hv, old_var, s - old_var, sv, 0);
+ if (hv_exists(hv, old_var, nlen)) {
+ const char *name = savepvn(old_var, nlen);
+ /* make sure we use the same value as getenv(), otherwise code that
+ uses getenv() (like setlocale()) might see a different value to %ENV
+ */
+ sv = newSVpv(PerlEnv_getenv(name), 0);
+ /* keep a count of the dups of this name so we can de-dup environ later */
+ if (hv_exists(dups, name, nlen))
+ ++SvIVX(*hv_fetch(dups, name, nlen, 0));
+ else
+ (void)hv_store(dups, name, nlen, newSViv(1), 0);
+ Safefree(name);
+ }
+ else {
+ sv = newSVpv(s+1, 0);
+ }
+ (void)hv_store(hv, old_var, nlen, sv, 0);
if (env_is_not_environ)
+ if (HvKEYS(dups)) {
+ /* environ has some duplicate definitions, remove them */
+ HE *entry;
+ hv_iterinit(dups);
+ while ((entry = hv_iternext_flags(dups, 0))) {
+ STRLEN nlen;
+ const char *name = HePV(entry, nlen);
+ IV count = SvIV(HeVAL(entry));
+ IV i;
+ SV **valp = hv_fetch(hv, name, nlen, 0);
+ assert(valp);
+ /* try to remove any duplicate names, depending on the
+ * implementation used in my_setenv() the iteration might
+ * not be necessary, but let's be safe.
+ */
+ for (i = 0; i < count; ++i)
+ my_setenv(name, 0);
+ /* and set it back to the value we set $ENV{name} to */
+ my_setenv(name, SvPV_nolen(*valp));
+ }
+ }
+ SvREFCNT_dec_NN(dups);
#endif /* USE_ENVIRON_ARRAY */
#endif /* !PERL_MICRO */

# Maintainer: Florian Pritz <>
# Contributor: Angel Velasquez <>
# Contributor: kevin <>
# Contributor: judd <>
# Contributor: francois <>
# ALARM: Kevin Mihelich <>
# - configure ARMv5 with -Dd_u32align
pkgdesc="A highly capable, feature-rich programming language"
license=('GPL' 'PerlArtistic')
depends=('gdbm>=1.17' 'db' 'glibc' 'libxcrypt' '')
# NOTE: This array is automatically generated by `./patchprov`.
# If you want to add entries, do so in the next array.
# Add your own provides here
options=('makeflags' '!purge' 'emptydirs')
prepare() {
cd "${srcdir}/${pkgname}-${pkgver}"
patch -p1 -i "$srcdir/perl-18924.patch"
# reproducible patchlevel_date
[ -n "${SOURCE_DATE_EPOCH}" ] && touch -h -d @$SOURCE_DATE_EPOCH patchlevel.h
build() {
cd "${srcdir}/${pkgname}-${pkgver}"
if [ "${CARCH}" = "x86_64" ]; then
# for x86_64
# for i686
# reproducible builds overrides are only fully effective when loaded from file
cp ../config.over .
export TZ=UTC
[[ $CARCH == "arm" ]] && CONFIG="-Dd_u32align"
./Configure -des -Dusethreads -Duseshrplib -Doptimize="${CFLAGS}" \
-Dprefix=/usr -Dvendorprefix=/usr \
-Dprivlib=/usr/share/perl5/core_perl \
-Darchlib=/usr/lib/perl5/$_baseversion/core_perl \
-Dsitelib=/usr/share/perl5/site_perl \
-Dsitearch=/usr/lib/perl5/$_baseversion/site_perl \
-Dvendorlib=/usr/share/perl5/vendor_perl \
-Dvendorarch=/usr/lib/perl5/$_baseversion/vendor_perl \
-Dscriptdir=/usr/bin/core_perl \
-Dsitescript=/usr/bin/site_perl \
-Dvendorscript=/usr/bin/vendor_perl \
-Dinc_version_list=none \
-Dman1ext=1perl -Dman3ext=3perl ${arch_opts} \
-Dlddlflags="-shared ${LDFLAGS}" -Dldflags="${LDFLAGS}" $CONFIG
check() {
cd "${srcdir}/${pkgname}-${pkgver}"
# TEST_JOBS=$(echo "$MAKEFLAGS" | sed 's/.*-j\([0-9][0-9]*\).*/\1/') make test_harness
make test
package() {
cd "${srcdir}/${pkgname}-${pkgver}"
make DESTDIR="$pkgdir" install
### Perl Settings ###
# Change man page extensions for site and vendor module builds.
# Set no mail address since bug reports should go to the bug tracker
# and not someone's email.
sed -e '/^man1ext=/ s/1perl/1p/' -e '/^man3ext=/ s/3perl/3pm/' \
-e "/^cf_email=/ s/'.*'/''/" \
-e "/^perladmin=/ s/'.*'/''/" \
-i "${pkgdir}/usr/lib/perl5/$_baseversion/core_perl/"
### CPAN Settings ###
# Set CPAN default config to use the site directories.
sed -e '/(makepl_arg =>/ s/""/"INSTALLDIRS=site"/' \
-e '/(mbuildpl_arg =>/ s/""/"installdirs=site"/' \
-i "${pkgdir}/usr/share/perl5/core_perl/CPAN/"
# Profile script to set paths to perl scripts.
install -D -m644 "${srcdir}/" \
# Profile script to set paths to perl scripts on csh. (FS#22441)
install -D -m644 "${srcdir}/perlbin.csh" \
# Profile script to set paths to perl scripts on fish. (FS#51191)
install -D -m 755 "$srcdir/" \
# Add the dirs so new installs will already have them in PATH once they
# install their first perl programm
install -d -m755 "$pkgdir/usr/bin/vendor_perl"
install -d -m755 "$pkgdir/usr/bin/site_perl"
#(cd ${pkgdir}/usr/bin; mv perl${pkgver} perl)
rm "$pkgdir/usr/bin/perl$pkgver"
install -D -m755 -t "$pkgdir/usr/share/libalpm/scripts" "$srcdir/"
install -D -m644 -t "$pkgdir/usr/share/libalpm/hooks" "$srcdir/detect-old-perl-modules.hook"
find "$pkgdir" -name perllocal.pod -delete
find "$pkgdir" -name .packlist -delete

cf_time="`date -u --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}"`"

Operation = Install
Operation = Upgrade
Type = Path
Target = usr/lib/perl5/*/
Description = Warn about old perl modules
When = PostTransaction
Exec = /usr/share/libalpm/scripts/

perlver=$(perl -e '$v = $^V->{version}; print $v->[0].".".($v->[1]);')
dir_empty() {
local dir=$1
[[ $(find $dir -maxdepth 0 -empty -exec echo empty \;) = "empty" ]] && return 0 || return 1
print_unowned_files() {
local dir=$1
LC_ALL=C find "$dir" -type f -exec pacman -Qqo {} + |& sed -n 's/^error: No package owns \(.*\)$/\1/p'
for dir in "$basedir/"*; do
if [[ "${dir##*/}" != "$perlver" ]]; then
if [[ -d "$dir" ]] && ! dir_empty "$dir"; then
pkgcount=$(pacman -Qqo "$dir" | wc -l)
if ((pkgcount > 0)); then
printf "WARNING: '%s' contains data from at least %d packages which will NOT be used by the installed perl interpreter.\n" "$dir" "$pkgcount"
printf " -> Run the following command to get a list of affected packages: pacman -Qqo '%s'\n" "$dir"
unowned_count=$(print_unowned_files "$dir" | wc -l)
if ((unowned_count > 0)); then
printf "WARNING: %d file(s) in %s are not tracked by pacman and need to be rebuilt.\n" "$unowned_count" "$dir"
printf " -> These were most likely installed directly by cpan or a similar tool.\n"
printf " Run the following command to get a list of these files:\n"
printf " LC_ALL=C find \"%s\" -type f -exec pacman -Qqo {} + |& sed -n 's/^error: No package owns \(.*\)$/\\\1/p'\n" "$dir"

set -euo pipefail
echo "vim"
pkgfile -rd "^/usr/lib/perl5/" | sed 's#^.*/##' | sort -u
ssh sogrep -r
for repo in core extra community multilib; do
ssh sogrep "$repo"
# this one is optional
#pkgfile -r '^/usr/share/perl5/' | sed 's#^.*/##' | sort -u

## Name:
## patchprov
## Description:
## Patch the provides list in the perl package PKGBUILD. Scan the appropriate
## directories under the perl source tree for directories containing dists
## similar to CPAN dists. Search the files in the distributions for VERSION
## strings, which are perl expressions. Filters these version strings through
## the perl interpreter, then transform the dist. names and versions into
## package names and versions. Finally, we cut out the "provides" array from the
## PKGBUILD and replace it with the newer version.
## Usage:
## patchprov [path to perl source tree] [path to PKGBUILD]
## Caveats:
## The path code is not platform independent and will only work in POSIX.
## Changelog:
## 06/10/14 JD Rewrite from scratch for perl 5.20.0 and ArchLinux.
## Authors:
## Justin "juster" Davis <>
use warnings;
use strict;
sub err
print STDERR "patchprov: error: @_\n";
exit 1;
## Extract the dist. name from its containing directory.
sub path_dist
my($path) = @_;
$path =~ s{^.*/}{};
return $path;
## Create a path like $path/lib/Foo/ for Foo::Bar.
sub lib_modpath
my($path, $modname) = @_;
$modname =~ s{::}{/}g;
return "$path/lib/$";
## Create a path to a file in the containing directory, named after
## the last segment of the module name, with suffix attached.
sub dumb_modpath
my($path, $modname, $suffix) = @_;
$modname =~ s{^.*::}{};
return "$path/$modname$suffix";
## Find a source file contained in the directory that we can scrape the
## perl versions string from.
my %distmods = (
'PathTools' => 'Cwd',
'Scalar-List-Utils' => 'List::Util',
'IO-Compress' => 'IO::Compress::Gzip',
sub dist_srcpath
my($path) = @_;
my $distname = path_dist($path);
my $modname;
if(exists $distmods{$distname}){
$modname = $distmods{$distname};
$modname = $distname;
$modname =~ s/-/::/g;
my @srcpaths = (
lib_modpath($path, $modname),
dumb_modpath($path, $modname, '.pm'),
dumb_modpath($path, $modname, '_pm.PL'),
dumb_modpath($path, '__'.$modname.'__', '.pm'),
"$path/VERSION", # for podlators
for my $src (@srcpaths){
return $src if(-f $src);
return undef;
## Scrape the version string for the module file or Makefile.PL.
sub scrape_verln
my($srcpath) = @_;
open my $fh, '<', $srcpath or die "open: $!";
while(my $ln = <$fh>){
if($ln =~ s/^.*VERSION *=>? *//){
close $fh;
return $ln;
close $fh;
err("failed to find VERSION in $srcpath");
## Scrape the version string from the module source file.
sub scrape_modver
my($srcpath) = @_;
return scrape_verln($srcpath);
## Scrape the version string from the Makefile.PL. (for libnet)
sub scrape_mkplver
my($srcpath) = @_;
my $verln = scrape_verln($srcpath);
$verln =~ s/,/;/;
return $verln;
## Scrape the version string from a file inside the dist dir.
sub distpath_ver
my($distpath) = @_;
my $srcpath = dist_srcpath($distpath);
my $mkplpath = "$distpath/Makefile.PL";
if(defined $srcpath){
return scrape_modver($srcpath);
}elsif(-f $mkplpath){
return scrape_mkplver($mkplpath);
err("failed to scrape version from $distpath");
## Search the base path for the dist dirs and extract their respective
## version strings.
sub find_distvers
my($basepath) = @_;
opendir my $dh, $basepath or die "opendir: $!";
my @dirs = grep { -d $_ } map { "$basepath/$_" } grep { !/^[.]/ } readdir $dh;
closedir $dh;
my @distvers;
for my $dpath (@dirs){
push @distvers, [ path_dist($dpath), distpath_ver($dpath) ];
return @distvers;
## Maps an aref of dist name/perl version strings (perl expressions) to
## a package name and version string suitable for a PKGBUILD.
sub pkgspec
my($dist, $ver) = @$_;
$dist =~ tr/A-Z/a-z/;
$ver = eval $ver;
return "perl-$dist=$ver";
## Searches the perl source dir provided for a list of packages which
## correspond to the core distributions bundled within in.
sub perlcorepkgs
my($perlpath) = @_;
my @dirs = ("$perlpath/cpan", "$perlpath/dist");
my @provs;
for my $d (@dirs){
if(!-d $d){
err("$d is not a valid directory");
push @provs, map pkgspec, find_distvers($d);
return @provs;
## Formats the provided lines into a neatly formatted bash array. The first arg
## is the name of the bash variable to assign it to.
sub basharray
my $vname = shift;
## Sort entries and surround with quotes.
my @lns = sort map { qq{'$_'} } @_;
$lns[0] = "$vname=($lns[0]";
## Indent lines for OCD geeks.
if(@lns > 1){
my $ind = length($vname) + 2;
splice @lns, 1, @lns-1,
map { (' ' x $ind) . $_ } @lns[1 .. $#lns];
$lns[$#lns] .= ')';
return map { "$_\n" } @lns;
## Patch the PKGBUILD at the given path with a new provides array, overwriting
## the old one.
sub patchpb
my $pbpath = shift;
open my $fh, '<', $pbpath or die "open: $!";
my @lines = <$fh>;
close $fh;
my($i, $j);
for($i = 0; $i < @lines; $i++){
last if($lines[$i] =~ /^provides=/);
if($i == @lines){
err("failed to find provides array in PKGBUILD");
for($j = $i; $j < @lines; $j++){
last if($lines[$j] =~ /[)]/);
if($j == @lines){
err("failed to find end of provides array");
splice @lines, $i, $j-$i+1,
basharray('provides', grep { !/win32|next/ } @_);
## Avoid corrupting the existing PKGBUILD in case of a crash, etc.
if(-f "$pbpath.$$"){
err("pbpath.$$ temporary file already exists, please remove it.");
open $fh, '>', "$pbpath.$$" or die "open: $!";
print $fh @lines;
close $fh or die "close: $!";
rename "$pbpath.$$", "$pbpath" or die "rename: $!";
## Program entrypoint.
sub main
if(@_ < 2){
print STDERR "usage: $0 [perl source path] [PKGBUILD path]\n";
exit 2;
my($perlpath, $pbpath) = @_;
if(!-f $pbpath){
err("$pbpath is not a valid file.");
}elsif(!-d $perlpath){
err("$perlpath is not a valid directory.");
patchpb($pbpath, perlcorepkgs($perlpath));
exit 0;

# Set path to perl scriptdirs if they exist
# Added /usr/bin/*_perl dirs for scripts
[ -d /usr/bin/site_perl ] && setenv PATH ${PATH}:/usr/bin/site_perl
[ -d /usr/bin/vendor_perl ] && setenv PATH ${PATH}:/usr/bin/vendor_perl
[ -d /usr/bin/core_perl ] && setenv PATH ${PATH}:/usr/bin/core_perl
# If you have modules in non-standard directories you can add them here.
#export PERLLIB=dir1:dir2

# Set path to perl scriptdirs if they exist
if status --is-login
for perldir in /usr/bin/site_perl /usr/bin/vendor_perl /usr/bin/core_perl
if test -d $perldir; and not contains $perldir $PATH
set PATH $PATH $perldir

# Set path to perl scriptdirs if they exist
# Added /usr/bin/*_perl dirs for scripts
[ -d /usr/bin/site_perl ] && append_path '/usr/bin/site_perl'
[ -d /usr/bin/vendor_perl ] && append_path '/usr/bin/vendor_perl'
[ -d /usr/bin/core_perl ] && append_path '/usr/bin/core_perl'
export PATH
# If you have modules in non-standard directories you can add them here.
#export PERLLIB=dir1:dir2

upgpkg_build() {
makepkg -o
./patchprov src/perl-$pkgver PKGBUILD