Fedora has issued an advisory for perl-PathTools today (January 14):
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175494.html

Updated and patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated perl and perl-PathTools packages fix security vulnerability:

It was reported that File::Spec::canonpath() routine returns untainted strings
even if passed tainted input.  This defect undermines the guarantee of taint
propagation, which is sometimes used to ensure that unvalidated user input does
not reach sensitive code (CVE-2015-8607).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8607
https://www.debian.org/security/2016/dsa-3441
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175494.html
========================

Updated packages in core/updates_testing:
========================
perl-PathTools-3.470.0-7.1.mga5
perl-5.20.1-8.1.mga5
perl-base-5.20.1-8.1.mga5
perl-devel-5.20.1-8.1.mga5
perl-doc-5.20.1-8.1.mga5

from SRPMS:
perl-PathTools-3.470.0-7.1.mga5.src.rpm
perl-5.20.1-8.1.mga5.src.rpm

Version: Cauldron => 5
Assignee: jquelin => qa-bugs

Note that there's a PoC built-in to the test suite which is run at build time, so that has already been verified.  Just need a quick functionality test.

mga5  x86_64  Mate

Made sure all 5.20.1-8 components had already been installed then updated to 5.20.1-8.1.  Found a perl script in my qa directory which had been used as a PoC for something else, can't remember what but it generated a file called nemux.aiff.  Called perl on it and the file was created.

Found another called test_items.pl and perled that.  It produced a Qt gui with a menu listing your choice of pizza.  Attaching that.

[lcl@vega ~/test]$ locate -i pathtools
/usr/share/doc/perl-PathTools
/usr/share/doc/perl-PathTools/Changes
/usr/share/doc/perl-PathTools/INSTALL
/usr/share/doc/perl-PathTools/META.yml
/usr/share/doc/perl-PathTools/MYMETA.yml
/usr/share/doc/perl-PathTools/README
[lcl@vega ~/test]$ cat /usr/share/doc/perl-PathTools/README
This is the combined distribution for the File::Spec and Cwd modules.
Please see their respective documentation for details.

Can't take that any further.  Is this enough?

CC: (none) => tarazed25

Created attachment 7349 [details]
Anonymous script for testing perl

Generates a Qt gui containing a menu.

Created attachment 7350 [details]
Anonymous test script

Created attachment 7351 [details]
Random test script

Should generate a file called nemux.aiff (unplayable).

mga5  i586 in vbox  Mate

Installed the update packages and ran the two test scripts as before but both failed.  I had to install perl-yui and libyui6-qt so this is not a suitable example for testing functionality.

For test_items.pl :

Can't locate yui.pm in @INC (you may need to install the yui module)

I had to install perl-yui and libyui6-qt so this is not a suitable example for testing functionality.

For nemux.pl :

Invalid type 'Q' in pack at nemux.pl line 113.

113: my $content_file = pack('Q', $eax_addr);
114: $content_file   .= "\x90" x ( 21146 - length pack('Q',$eax_addr) );

Might just be an unsuitable example for this architecture.  I don't know perl so shall have another look for more neutral examples.

Examples at http://learn.perl.org/examples/

Quoting four scripts here, hoping that this does not tread on any toes from the legal point of view.

Listing directory contents:

#!/usr/bin/perl
use strict;
use warnings;
use Path::Class;
my $dir = dir('foo','bar'); # foo/bar
# Iterate over the content of foo/bar
while (my $file = $dir->next) {
    # See if it is a directory and skip
    next if $file->is_dir();
    # Print out the file name and path
    print $file->stringify . "\n";
}

DNS resolution:

#!/usr/bin/perl
use strict;
use warnings;
use Net::DNS::Resolver;
my $hostname = 'perl.org';
my $res = Net::DNS::Resolver->new(
  nameservers => [qw(10.5.0.1)],
);
my $query = $res->search($hostname);
if ($query) {
  foreach my $rr ($query->answer) {
    next unless $rr->type eq "A";
    say "Found an A record: ".$rr->address;
  }
}

Write to a file:

#!/usr/bin/perl
use strict;
use warnings;
use Path::Class;
use autodie; # die if problem reading or writing a file
my $dir = dir("/tmp"); # /tmp
my $file = $dir->file("file.txt"); # /tmp/file.txt
# Get a file_handle (IO::File object) you can write to
my $file_handle = $file->openw();
my @list = ('a', 'list', 'of', 'lines');
foreach my $line ( @list ) {
    # Add the line to the file
    $file_handle->print($line . "\n");
}

Read from a file:

#!/usr/bin/perl
use strict;
use warnings;
use Path::Class;
use autodie; # die if problem reading or writing a file
my $dir = dir("/tmp"); # /tmp
my $file = $dir->file("file.txt");
# Read in the entire contents of a file
my $content = $file->slurp();
# openr() returns an IO::File object to read from
my $file_handle = $file->openr();
# Read in line at a time
while( my $line = $file_handle->getline() ) {
        print $line;
}

I could not get any of these to run because extra modules were required;

Can't locate Path/Class.pm in @INC (you may need to install the Path::Class module)
Can't locate Net/DNS/Resolver.pm in @INC (you may need to install the Net::DNS::Resolver module)

There are references to CPAN, cpan and cpanm but these seem to be fairly basic modules so I expect they are part of Mageia.

Help?

Never mind.  urpmf perl > perlindex creates a 208K line file.  Grepping that turned up perl-Path-Class and perl-Net-DNS-Resolver-Programmable.

That did the trick.
Replaced foo/bar by a local directory name in the directory script and the nameserver by my router's address in the DNS resolver script.

$ perl dns.pl
Found an A record: 207.171.7.53Found an A record: 207.171.7.43

These basic tests all work in x86_64 and i586.  Good enough I would say.

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0027.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED