5 files changed, 384 insertions, 0 deletions
diff --git a/recipes-devtools/perl/perl/CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch b/recipes-devtools/perl/perl/CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch
new file mode 100644
index 0000000..cb73e21
--- /dev/null
+++ b/recipes-devtools/perl/perl/CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch
@@ -0,0 +1,148 @@
+From a9d5c6e11891b48be06d4e06eeed18642bc98527 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 8 Aug 2017 09:32:58 +1000
+Subject: [PATCH] (perl #131844) fix various space calculation issues in
+ pp_pack.c
+- for the originally reported case, if the start/cur pointer is in the
+  top 75% of the address space the add (cur) + glen addition would
+  overflow, resulting in the condition failing incorrectly.
+- the addition of the existing space used to the space needed could
+  overflow, resulting in too small an allocation and a buffer overflow.
+- the scaling for UTF8 could overflow.
+- the multiply to calculate the space needed for many items could
+  overflow.
+For the first case, do a space calculation without making new pointers.
+For the other cases, detect the overflow and croak if there's an
+overflow.
+Originally this used Size_t_MAX as the maximum size of a memory
+allocation, but for -DDEBUGGING builds realloc() throws a panic for
+allocations over half the address space in size, changing the error
+reported for the allocation.
+For non-DEBUGGING builds the Size_t_MAX limit has the small chance
+of finding a system that has 3GB of contiguous space available, and
+allocating that space, which could be a denial of servce in some cases.
+Unfortunately changing the limit to half the address space means that
+the exact case with the original issue can no longer occur, so the
+test is no longer testing against the address + length issue that
+caused the original problem, since the allocation is failing earlier.
+One option would be to change the test so the size request by pack is
+just under 2GB, but this has a higher (but still low) probability that
+the system has the address space available, and will actually try to
+allocate the memory, so let's not do that.
+(cherry picked from commit f5506feddde8546eabb69d71569d856c7e9c615b)
+CVE: CVE-2018-131844
+Upstream-Status: Backport [https://rt.perl.org/Public/Ticket/Attachment/1480002/799836/0001-perl-131844-fix-various-space-calculation-issues-in-.patch]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ pp_pack.c   | 25 +++++++++++++++++++++----
+ t/op/pack.t | 24 +++++++++++++++++++++++-
+ 2 files changed, 44 insertions(+), 5 deletions(-)
+diff --git a/pp_pack.c b/pp_pack.c
+index f6964c3..c0de5ab 100644
+--- a/pp_pack.c
+++ b/pp_pack.c
+@@ -358,11 +358,28 @@ STMT_START {                                                      \
+     }                                                          \
+ } STMT_END
+ 
+#define SAFE_UTF8_EXPAND(var)  \
+STMT_START {                           \
+    if ((var) > SSize_t_MAX / UTF8_EXPAND) \
+        Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
+    (var) = (var) * UTF8_EXPAND; \
+} STMT_END
+
+#define GROWING2(utf8, cat, start, cur, item_size, item_count) \
+STMT_START {                                                   \
+    if (SSize_t_MAX / (item_size) < (item_count))              \
+        Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
+    GROWING((utf8), (cat), (start), (cur), (item_size) * (item_count)); \
+} STMT_END
+
+ #define GROWING(utf8, cat, start, cur, in_len) \
+ STMT_START {                                   \
+     STRLEN glen = (in_len);                    \
+-    if (utf8) glen *= UTF8_EXPAND;             \
+-    if ((cur) + glen >= (start) + SvLEN(cat)) {        \
+    STRLEN catcur = (STRLEN)((cur) - (start)); \
+    if (utf8) SAFE_UTF8_EXPAND(glen);          \
+    if (SSize_t_MAX - glen < catcur)           \
+        Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
+    if (catcur + glen >= SvLEN(cat)) { \
+        (start) = sv_exp_grow(cat, glen);       \
+        (cur) = (start) + SvCUR(cat);           \
+     }                                          \
+@@ -372,7 +389,7 @@ STMT_START {                                        \
+ STMT_START {                                   \
+     const STRLEN glen = (in_len);              \
+     STRLEN gl = glen;                          \
+-    if (utf8) gl *= UTF8_EXPAND;               \
+    if (utf8) SAFE_UTF8_EXPAND(gl);            \
+     if ((cur) + gl >= (start) + SvLEN(cat)) {  \
+         *cur = '\0';                           \
+         SvCUR_set((cat), (cur) - (start));     \
+@@ -2126,7 +2143,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* symptr, SV **beglist, SV **endlist )
+            if (props && !(props & PACK_SIZE_UNPREDICTABLE)) {
+                /* We can process this letter. */
+                STRLEN size = props & PACK_SIZE_MASK;
+-               GROWING(utf8, cat, start, cur, (STRLEN) len * size);
+               GROWING2(utf8, cat, start, cur, size, (STRLEN)len);
+            }
+         }
+ 
+diff --git a/t/op/pack.t b/t/op/pack.t
+index a2da636..a480c3a 100644
+--- a/t/op/pack.t
+++ b/t/op/pack.t
+@@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' :
+ my $no_signedness = $] > 5.009 ? '' :
+   "Signed/unsigned pack modifiers not available on this perl";
+ 
+-plan tests => 14712;
+plan tests => 14716;
+ 
+ use strict;
+ use warnings qw(FATAL all);
+@@ -2044,3 +2044,25 @@ ok(1, "argument underflow did not crash");
+     is(pack("H40", $up_nul), $twenty_nuls,
+        "check pack H zero fills (utf8 source)");
+ }
+
+SKIP:
+{
+  # [perl #131844] pointer addition overflow
+    $Config{ptrsize} == 4
+      or skip "[perl #131844] need 32-bit build for this test", 4;
+    # prevent ASAN just crashing on the allocation failure
+    local $ENV{ASAN_OPTIONS} = $ENV{ASAN_OPTIONS};
+    $ENV{ASAN_OPTIONS} .= ",allocator_may_return_null=1";
+    fresh_perl_like('pack "f999999999"', qr/Out of memory during pack/, { stderr => 1 },
+                   "pointer addition overflow");
+
+    # integer (STRLEN) overflow from addition of glen to current length
+    fresh_perl_like('pack "c10f1073741823"', qr/Out of memory during pack/, { stderr => 1 },
+                   "integer overflow calculating allocation (addition)");
+
+    fresh_perl_like('pack "W10f536870913", 256', qr/Out of memory during pack/, { stderr => 1 },
+                   "integer overflow calculating allocation (utf8)");
+
+    fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 },
+                   "integer overflow calculating allocation (multiply)");
+}
+-- 
+2.7.4
diff --git a/recipes-devtools/perl/perl_5.24.1.bbappend b/recipes-devtools/perl/perl_5.24.1.bbappend
new file mode 100644
index 0000000..10cfbca
--- /dev/null
+++ b/recipes-devtools/perl/perl_5.24.1.bbappend
@@ -0,0 +1,6 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += " \
+        file://CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch \
+        "
diff --git a/recipes-devtools/python/python/CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch b/recipes-devtools/python/python/CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch
new file mode 100644
index 0000000..b94ae06
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch
@@ -0,0 +1,62 @@
+From cab6444ff39a91084bdac08d0ae66734cea943f6 Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 10:13:00 +0200
+Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174)
+CVE: CVE-2017-1000158
+Upstream-Status: Backport [https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae]
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ Misc/ACKS              | 1 +
+ Misc/NEWS              | 3 +++
+ Objects/stringobject.c | 8 +++++++-
+ 3 files changed, 11 insertions(+), 1 deletion(-)
+diff --git a/Misc/ACKS b/Misc/ACKS
+index 952d6dd..6ea6639 100644
+--- a/Misc/ACKS
+++ b/Misc/ACKS
+@@ -151,6 +151,7 @@ Gregory Bond
+ Matias Bordese
+ Jonas Borgström
+ Jurjen Bos
+Jay Bosamiya
+ Peter Bosch
+ Dan Boswell
+ Eric Bouck
+diff --git a/Misc/NEWS b/Misc/NEWS
+index b779e82..ab0b687 100644
+--- a/Misc/NEWS
+++ b/Misc/NEWS
+@@ -21,6 +21,9 @@ What's New in Python 2.7.13 release candidate 1?
+ Core and Builtins
+ -----------------
+ 
+- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape.
+  Patch by Jay Bosamiya.
+
+ - Issue #28847: dumbdbm no longer writes the index file in when it is not
+   changed and supports reading read-only files.
+ 
+diff --git a/Objects/stringobject.c b/Objects/stringobject.c
+index 4e38735..6c31c5b 100644
+--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
+@@ -612,7 +612,13 @@ PyObject *PyString_DecodeEscape(const char *s,
+     char *p, *buf;
+     const char *end;
+     PyObject *v;
+-    Py_ssize_t newlen = recode_encoding ? 4*len:len;
+    Py_ssize_t newlen;
+    /* Check for integer overflow */
+    if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
+        PyErr_SetString(PyExc_OverflowError, "string is too large");
+        return NULL;
+    }
+    newlen = recode_encoding ? 4*len:len;
+     v = PyString_FromStringAndSize((char *)NULL, newlen);
+     if (v == NULL)
+         return NULL;
diff --git a/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch b/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch
new file mode 100644
index 0000000..6239503
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch
@@ -0,0 +1,161 @@
+From fbfdc20005366facc079675ee7e217a0993ef2f9 Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 13:44:16 +0200
+Subject: [PATCH] [2.7] bpo-32981: Fix catastrophic backtracking vulns
+ (GH-5955)
+* Prevent low-grade poplib REDOS (CVE-2018-1060)
+The regex to test a mail server's timestamp is susceptible to
+catastrophic backtracking on long evil responses from the server.
+Happily, the maximum length of malicious inputs is 2K thanks
+to a limit introduced in the fix for CVE-2013-1752.
+A 2KB evil response from the mail server would result in small slowdowns
+(milliseconds vs. microseconds) accumulated over many apop calls.
+This is a potential DOS vector via accumulated slowdowns.
+Replace it with a similar non-vulnerable regex.
+The new regex is RFC compliant.
+The old regex was non-compliant in edge cases.
+* Prevent difflib REDOS (CVE-2018-1061)
+The default regex for IS_LINE_JUNK is susceptible to
+catastrophic backtracking.
+This is a potential DOS vector.
+Replace it with an equivalent non-vulnerable regex.
+Also introduce unit and REDOS tests for difflib.
+CVE: CVE-2018-1060
+CVE: CVE-2018-1061
+Upstream-Status: Backport [https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b]
+Co-authored-by: Tim Peters <tim.peters@gmail.com>
+Co-authored-by: Christian Heimes <christian@python.org>.
+(cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac)
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ Lib/difflib.py                                     |  2 +-
+ Lib/poplib.py                                      |  2 +-
+ Lib/test/test_difflib.py                           | 22 +++++++++++++++++++++-
+ Lib/test/test_poplib.py                            | 10 ++++++++++
+ Misc/ACKS                                          |  1 +
+ .../2018-03-02-10-24-52.bpo-32981.O_qDyj.rst       |  4 ++++
+ 6 files changed, 38 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
+diff --git a/Lib/difflib.py b/Lib/difflib.py
+index 1c6fbdb..788a92d 100644
+--- a/Lib/difflib.py
+++ b/Lib/difflib.py
+@@ -1103,7 +1103,7 @@ class Differ:
+ 
+ import re
+ 
+-def IS_LINE_JUNK(line, pat=re.compile(r"\s*#?\s*$").match):
+def IS_LINE_JUNK(line, pat=re.compile(r"\s*(?:#\s*)?$").match):
+     r"""
+     Return 1 for ignorable line: iff `line` is blank or contains a single '#'.
+ 
+diff --git a/Lib/poplib.py b/Lib/poplib.py
+index b91e5f7..a238510 100644
+--- a/Lib/poplib.py
+++ b/Lib/poplib.py
+@@ -274,7 +274,7 @@ class POP3:
+         return self._shortcmd('RPOP %s' % user)
+ 
+ 
+-    timestamp = re.compile(r'\+OK.*(<[^>]+>)')
+    timestamp = re.compile(br'\+OK.[^<]*(<.*>)')
+ 
+     def apop(self, user, secret):
+         """Authorisation
+diff --git a/Lib/test/test_difflib.py b/Lib/test/test_difflib.py
+index 35f2c36..d8277b7 100644
+--- a/Lib/test/test_difflib.py
+++ b/Lib/test/test_difflib.py
+@@ -269,13 +269,33 @@ class TestOutputFormat(unittest.TestCase):
+         self.assertEqual(fmt(3,6), '4,6')
+         self.assertEqual(fmt(0,0), '0')
+ 
+class TestJunkAPIs(unittest.TestCase):
+    def test_is_line_junk_true(self):
+        for line in ['#', '  ', ' #', '# ', ' # ', '']:
+            self.assertTrue(difflib.IS_LINE_JUNK(line), repr(line))
+
+    def test_is_line_junk_false(self):
+        for line in ['##', ' ##', '## ', 'abc ', 'abc #', 'Mr. Moose is up!']:
+            self.assertFalse(difflib.IS_LINE_JUNK(line), repr(line))
+
+    def test_is_line_junk_REDOS(self):
+        evil_input = ('\t' * 1000000) + '##'
+        self.assertFalse(difflib.IS_LINE_JUNK(evil_input))
+
+    def test_is_character_junk_true(self):
+        for char in [' ', '\t']:
+            self.assertTrue(difflib.IS_CHARACTER_JUNK(char), repr(char))
+
+    def test_is_character_junk_false(self):
+        for char in ['a', '#', '\n', '\f', '\r', '\v']:
+            self.assertFalse(difflib.IS_CHARACTER_JUNK(char), repr(char))
+ 
+ def test_main():
+     difflib.HtmlDiff._default_prefix = 0
+     Doctests = doctest.DocTestSuite(difflib)
+     run_unittest(
+         TestWithAscii, TestAutojunk, TestSFpatches, TestSFbugs,
+-        TestOutputFormat, Doctests)
+        TestOutputFormat, TestJunkAPIs)
+ 
+ if __name__ == '__main__':
+     test_main()
+diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
+index 23d6887..d214375 100644
+--- a/Lib/test/test_poplib.py
+++ b/Lib/test/test_poplib.py
+@@ -211,6 +211,16 @@ class TestPOP3Class(TestCase):
+     def test_rpop(self):
+         self.assertOK(self.client.rpop('foo'))
+ 
+    def test_apop_REDOS(self):
+        # Replace welcome with very long evil welcome.
+        # NB The upper bound on welcome length is currently 2048.
+        # At this length, evil input makes each apop call take
+        # on the order of milliseconds instead of microseconds.
+        evil_welcome = b'+OK' + (b'<' * 1000000)
+        with test_support.swap_attr(self.client, 'welcome', evil_welcome):
+            # The evil welcome is invalid, so apop should throw.
+            self.assertRaises(poplib.error_proto, self.client.apop, 'a', 'kb')
+
+     def test_top(self):
+         expected =  ('+OK 116 bytes',
+                      ['From: postmaster@python.org', 'Content-Type: text/plain',
+diff --git a/Misc/ACKS b/Misc/ACKS
+index 9cbc230..952d6dd 100644
+--- a/Misc/ACKS
+++ b/Misc/ACKS
+@@ -314,6 +314,7 @@ Kushal Das
+ Jonathan Dasteel
+ Pierre-Yves David
+ A. Jesse Jiryu Davis
+Jamie (James C.) Davis
+ Merlijn van Deen
+ John DeGood
+ Ned Deily
+diff --git a/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
+new file mode 100644
+index 0000000..9ebabb4
+--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
+@@ -0,0 +1,4 @@
+Regexes in difflib and poplib were vulnerable to catastrophic backtracking.
+These regexes formed potential DOS vectors (REDOS). They have been
+refactored. This resolves CVE-2018-1060 and CVE-2018-1061.
+Patch by Jamie Davis.
diff --git a/recipes-devtools/python/python_2.7.13.bbappend b/recipes-devtools/python/python_2.7.13.bbappend
new file mode 100644
index 0000000..d7ec5e2
--- /dev/null
+++ b/recipes-devtools/python/python_2.7.13.bbappend
@@ -0,0 +1,7 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += " \
+        file://CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch \
+        file://CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch \
+        "

diff --git a/recipes-devtools/perl/perl/CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch b/recipes-devtools/perl/perl/CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch new file mode 100644 index 0000000..cb73e21 --- /dev/null +++ b/recipes-devtools/perl/perl/CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch
@@ -0,0 +1,148 @@
	1	From a9d5c6e11891b48be06d4e06eeed18642bc98527 Mon Sep 17 00:00:00 2001
	2	From: Tony Cook <tony@develop-help.com>
	3	Date: Tue, 8 Aug 2017 09:32:58 +1000
	4	Subject: [PATCH] (perl #131844) fix various space calculation issues in
	5	pp_pack.c
	6
	7	- for the originally reported case, if the start/cur pointer is in the
	8	top 75% of the address space the add (cur) + glen addition would
	9	overflow, resulting in the condition failing incorrectly.
	10
	11	- the addition of the existing space used to the space needed could
	12	overflow, resulting in too small an allocation and a buffer overflow.
	13
	14	- the scaling for UTF8 could overflow.
	15
	16	- the multiply to calculate the space needed for many items could
	17	overflow.
	18
	19	For the first case, do a space calculation without making new pointers.
	20
	21	For the other cases, detect the overflow and croak if there's an
	22	overflow.
	23
	24	Originally this used Size_t_MAX as the maximum size of a memory
	25	allocation, but for -DDEBUGGING builds realloc() throws a panic for
	26	allocations over half the address space in size, changing the error
	27	reported for the allocation.
	28
	29	For non-DEBUGGING builds the Size_t_MAX limit has the small chance
	30	of finding a system that has 3GB of contiguous space available, and
	31	allocating that space, which could be a denial of servce in some cases.
	32
	33	Unfortunately changing the limit to half the address space means that
	34	the exact case with the original issue can no longer occur, so the
	35	test is no longer testing against the address + length issue that
	36	caused the original problem, since the allocation is failing earlier.
	37
	38	One option would be to change the test so the size request by pack is
	39	just under 2GB, but this has a higher (but still low) probability that
	40	the system has the address space available, and will actually try to
	41	allocate the memory, so let's not do that.
	42
	43	(cherry picked from commit f5506feddde8546eabb69d71569d856c7e9c615b)
	44
	45	CVE: CVE-2018-131844
	46	Upstream-Status: Backport [https://rt.perl.org/Public/Ticket/Attachment/1480002/799836/0001-perl-131844-fix-various-space-calculation-issues-in-.patch]
	47
	48	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	49	---
	50	pp_pack.c \| 25 +++++++++++++++++++++----
	51	t/op/pack.t \| 24 +++++++++++++++++++++++-
	52	2 files changed, 44 insertions(+), 5 deletions(-)
	53
	54	diff --git a/pp_pack.c b/pp_pack.c
	55	index f6964c3..c0de5ab 100644
	56	--- a/pp_pack.c
	57	+++ b/pp_pack.c
	58	@@ -358,11 +358,28 @@ STMT_START { \
	59	} \
	60	} STMT_END
	61
	62	+#define SAFE_UTF8_EXPAND(var) \
	63	+STMT_START { \
	64	+ if ((var) > SSize_t_MAX / UTF8_EXPAND) \
	65	+ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
	66	+ (var) = (var) * UTF8_EXPAND; \
	67	+} STMT_END
	68	+
	69	+#define GROWING2(utf8, cat, start, cur, item_size, item_count) \
	70	+STMT_START { \
	71	+ if (SSize_t_MAX / (item_size) < (item_count)) \
	72	+ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
	73	+ GROWING((utf8), (cat), (start), (cur), (item_size) * (item_count)); \
	74	+} STMT_END
	75	+
	76	#define GROWING(utf8, cat, start, cur, in_len) \
	77	STMT_START { \
	78	STRLEN glen = (in_len); \
	79	- if (utf8) glen *= UTF8_EXPAND; \
	80	- if ((cur) + glen >= (start) + SvLEN(cat)) { \
	81	+ STRLEN catcur = (STRLEN)((cur) - (start)); \
	82	+ if (utf8) SAFE_UTF8_EXPAND(glen); \
	83	+ if (SSize_t_MAX - glen < catcur) \
	84	+ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
	85	+ if (catcur + glen >= SvLEN(cat)) { \
	86	(start) = sv_exp_grow(cat, glen); \
	87	(cur) = (start) + SvCUR(cat); \
	88	} \
	89	@@ -372,7 +389,7 @@ STMT_START { \
	90	STMT_START { \
	91	const STRLEN glen = (in_len); \
	92	STRLEN gl = glen; \
	93	- if (utf8) gl *= UTF8_EXPAND; \
	94	+ if (utf8) SAFE_UTF8_EXPAND(gl); \
	95	if ((cur) + gl >= (start) + SvLEN(cat)) { \
	96	*cur = '\0'; \
	97	SvCUR_set((cat), (cur) - (start)); \
	98	@@ -2126,7 +2143,7 @@ S_pack_rec(pTHX_ SV cat, tempsym_t symptr, SV beglist, SV endlist )
	99	if (props && !(props & PACK_SIZE_UNPREDICTABLE)) {
	100	/* We can process this letter. */
	101	STRLEN size = props & PACK_SIZE_MASK;
	102	- GROWING(utf8, cat, start, cur, (STRLEN) len * size);
	103	+ GROWING2(utf8, cat, start, cur, size, (STRLEN)len);
	104	}
	105	}
	106
	107	diff --git a/t/op/pack.t b/t/op/pack.t
	108	index a2da636..a480c3a 100644
	109	--- a/t/op/pack.t
	110	+++ b/t/op/pack.t
	111	@@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' :
	112	my $no_signedness = $] > 5.009 ? '' :
	113	"Signed/unsigned pack modifiers not available on this perl";
	114
	115	-plan tests => 14712;
	116	+plan tests => 14716;
	117
	118	use strict;
	119	use warnings qw(FATAL all);
	120	@@ -2044,3 +2044,25 @@ ok(1, "argument underflow did not crash");
	121	is(pack("H40", $up_nul), $twenty_nuls,
	122	"check pack H zero fills (utf8 source)");
	123	}
	124	+
	125	+SKIP:
	126	+{
	127	+ # [perl #131844] pointer addition overflow
	128	+ $Config{ptrsize} == 4
	129	+ or skip "[perl #131844] need 32-bit build for this test", 4;
	130	+ # prevent ASAN just crashing on the allocation failure
	131	+ local $ENV{ASAN_OPTIONS} = $ENV{ASAN_OPTIONS};
	132	+ $ENV{ASAN_OPTIONS} .= ",allocator_may_return_null=1";
	133	+ fresh_perl_like('pack "f999999999"', qr/Out of memory during pack/, { stderr => 1 },
	134	+ "pointer addition overflow");
	135	+
	136	+ # integer (STRLEN) overflow from addition of glen to current length
	137	+ fresh_perl_like('pack "c10f1073741823"', qr/Out of memory during pack/, { stderr => 1 },
	138	+ "integer overflow calculating allocation (addition)");
	139	+
	140	+ fresh_perl_like('pack "W10f536870913", 256', qr/Out of memory during pack/, { stderr => 1 },
	141	+ "integer overflow calculating allocation (utf8)");
	142	+
	143	+ fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 },
	144	+ "integer overflow calculating allocation (multiply)");
	145	+}
	146	--
	147	2.7.4
	148


diff --git a/recipes-devtools/perl/perl_5.24.1.bbappend b/recipes-devtools/perl/perl_5.24.1.bbappend new file mode 100644 index 0000000..10cfbca --- /dev/null +++ b/recipes-devtools/perl/perl_5.24.1.bbappend
@@ -0,0 +1,6 @@
	1	# look for files in the layer first
	2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
	3
	4	SRC_URI += " \
	5	file://CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch \
	6	"


diff --git a/recipes-devtools/python/python/CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch b/recipes-devtools/python/python/CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch new file mode 100644 index 0000000..b94ae06 --- /dev/null +++ b/recipes-devtools/python/python/CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch
@@ -0,0 +1,62 @@
	1	From cab6444ff39a91084bdac08d0ae66734cea943f6 Mon Sep 17 00:00:00 2001
	2	From: Andreas Wellving <andreas.wellving@enea.com>
	3	Date: Mon, 22 Oct 2018 10:13:00 +0200
	4	Subject: [PATCH] [2.7] bpo-30657: Check & prevent integer overflow in PyString_DecodeEscape (#2174)
	5
	6	CVE: CVE-2017-1000158
	7	Upstream-Status: Backport [https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae]
	8
	9	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	10	---
	11	Misc/ACKS \| 1 +
	12	Misc/NEWS \| 3 +++
	13	Objects/stringobject.c \| 8 +++++++-
	14	3 files changed, 11 insertions(+), 1 deletion(-)
	15
	16	diff --git a/Misc/ACKS b/Misc/ACKS
	17	index 952d6dd..6ea6639 100644
	18	--- a/Misc/ACKS
	19	+++ b/Misc/ACKS
	20	@@ -151,6 +151,7 @@ Gregory Bond
	21	Matias Bordese
	22	Jonas Borgström
	23	Jurjen Bos
	24	+Jay Bosamiya
	25	Peter Bosch
	26	Dan Boswell
	27	Eric Bouck
	28	diff --git a/Misc/NEWS b/Misc/NEWS
	29	index b779e82..ab0b687 100644
	30	--- a/Misc/NEWS
	31	+++ b/Misc/NEWS
	32	@@ -21,6 +21,9 @@ What's New in Python 2.7.13 release candidate 1?
	33	Core and Builtins
	34	-----------------
	35
	36	+- bpo-30657: Fixed possible integer overflow in PyString_DecodeEscape.
	37	+ Patch by Jay Bosamiya.
	38	+
	39	- Issue #28847: dumbdbm no longer writes the index file in when it is not
	40	changed and supports reading read-only files.
	41
	42	diff --git a/Objects/stringobject.c b/Objects/stringobject.c
	43	index 4e38735..6c31c5b 100644
	44	--- a/Objects/stringobject.c
	45	+++ b/Objects/stringobject.c
	46	@@ -612,7 +612,13 @@ PyObject PyString_DecodeEscape(const char s,
	47	char p, buf;
	48	const char *end;
	49	PyObject *v;
	50	- Py_ssize_t newlen = recode_encoding ? 4*len:len;
	51	+ Py_ssize_t newlen;
	52	+ /* Check for integer overflow */
	53	+ if (recode_encoding && (len > PY_SSIZE_T_MAX / 4)) {
	54	+ PyErr_SetString(PyExc_OverflowError, "string is too large");
	55	+ return NULL;
	56	+ }
	57	+ newlen = recode_encoding ? 4*len:len;
	58	v = PyString_FromStringAndSize((char *)NULL, newlen);
	59	if (v == NULL)
	60	return NULL;
	61
	62


diff --git a/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch b/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch new file mode 100644 index 0000000..6239503 --- /dev/null +++ b/recipes-devtools/python/python/CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch
@@ -0,0 +1,161 @@
	1	From fbfdc20005366facc079675ee7e217a0993ef2f9 Mon Sep 17 00:00:00 2001
	2	From: Andreas Wellving <andreas.wellving@enea.com>
	3	Date: Mon, 22 Oct 2018 13:44:16 +0200
	4	Subject: [PATCH] [2.7] bpo-32981: Fix catastrophic backtracking vulns
	5	(GH-5955)
	6
	7	* Prevent low-grade poplib REDOS (CVE-2018-1060)
	8
	9	The regex to test a mail server's timestamp is susceptible to
	10	catastrophic backtracking on long evil responses from the server.
	11
	12	Happily, the maximum length of malicious inputs is 2K thanks
	13	to a limit introduced in the fix for CVE-2013-1752.
	14
	15	A 2KB evil response from the mail server would result in small slowdowns
	16	(milliseconds vs. microseconds) accumulated over many apop calls.
	17	This is a potential DOS vector via accumulated slowdowns.
	18
	19	Replace it with a similar non-vulnerable regex.
	20
	21	The new regex is RFC compliant.
	22	The old regex was non-compliant in edge cases.
	23
	24	* Prevent difflib REDOS (CVE-2018-1061)
	25
	26	The default regex for IS_LINE_JUNK is susceptible to
	27	catastrophic backtracking.
	28	This is a potential DOS vector.
	29
	30	Replace it with an equivalent non-vulnerable regex.
	31
	32	Also introduce unit and REDOS tests for difflib.
	33
	34	CVE: CVE-2018-1060
	35	CVE: CVE-2018-1061
	36	Upstream-Status: Backport [https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b]
	37
	38	Co-authored-by: Tim Peters <tim.peters@gmail.com>
	39	Co-authored-by: Christian Heimes <christian@python.org>.
	40	(cherry picked from commit 0e6c8ee2358a2e23117501826c008842acb835ac)
	41	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	42	---
	43	Lib/difflib.py \| 2 +-
	44	Lib/poplib.py \| 2 +-
	45	Lib/test/test_difflib.py \| 22 +++++++++++++++++++++-
	46	Lib/test/test_poplib.py \| 10 ++++++++++
	47	Misc/ACKS \| 1 +
	48	.../2018-03-02-10-24-52.bpo-32981.O_qDyj.rst \| 4 ++++
	49	6 files changed, 38 insertions(+), 3 deletions(-)
	50	create mode 100644 Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
	51
	52	diff --git a/Lib/difflib.py b/Lib/difflib.py
	53	index 1c6fbdb..788a92d 100644
	54	--- a/Lib/difflib.py
	55	+++ b/Lib/difflib.py
	56	@@ -1103,7 +1103,7 @@ class Differ:
	57
	58	import re
	59
	60	-def IS_LINE_JUNK(line, pat=re.compile(r"\s#?\s$").match):
	61	+def IS_LINE_JUNK(line, pat=re.compile(r"\s(?:#\s)?$").match):
	62	r"""
	63	Return 1 for ignorable line: iff `line` is blank or contains a single '#'.
	64
	65	diff --git a/Lib/poplib.py b/Lib/poplib.py
	66	index b91e5f7..a238510 100644
	67	--- a/Lib/poplib.py
	68	+++ b/Lib/poplib.py
	69	@@ -274,7 +274,7 @@ class POP3:
	70	return self._shortcmd('RPOP %s' % user)
	71
	72
	73	- timestamp = re.compile(r'\+OK.*(<[^>]+>)')
	74	+ timestamp = re.compile(br'\+OK.[^<](<.>)')
	75
	76	def apop(self, user, secret):
	77	"""Authorisation
	78	diff --git a/Lib/test/test_difflib.py b/Lib/test/test_difflib.py
	79	index 35f2c36..d8277b7 100644
	80	--- a/Lib/test/test_difflib.py
	81	+++ b/Lib/test/test_difflib.py
	82	@@ -269,13 +269,33 @@ class TestOutputFormat(unittest.TestCase):
	83	self.assertEqual(fmt(3,6), '4,6')
	84	self.assertEqual(fmt(0,0), '0')
	85
	86	+class TestJunkAPIs(unittest.TestCase):
	87	+ def test_is_line_junk_true(self):
	88	+ for line in ['#', ' ', ' #', '# ', ' # ', '']:
	89	+ self.assertTrue(difflib.IS_LINE_JUNK(line), repr(line))
	90	+
	91	+ def test_is_line_junk_false(self):
	92	+ for line in ['##', ' ##', '## ', 'abc ', 'abc #', 'Mr. Moose is up!']:
	93	+ self.assertFalse(difflib.IS_LINE_JUNK(line), repr(line))
	94	+
	95	+ def test_is_line_junk_REDOS(self):
	96	+ evil_input = ('\t' * 1000000) + '##'
	97	+ self.assertFalse(difflib.IS_LINE_JUNK(evil_input))
	98	+
	99	+ def test_is_character_junk_true(self):
	100	+ for char in [' ', '\t']:
	101	+ self.assertTrue(difflib.IS_CHARACTER_JUNK(char), repr(char))
	102	+
	103	+ def test_is_character_junk_false(self):
	104	+ for char in ['a', '#', '\n', '\f', '\r', '\v']:
	105	+ self.assertFalse(difflib.IS_CHARACTER_JUNK(char), repr(char))
	106
	107	def test_main():
	108	difflib.HtmlDiff._default_prefix = 0
	109	Doctests = doctest.DocTestSuite(difflib)
	110	run_unittest(
	111	TestWithAscii, TestAutojunk, TestSFpatches, TestSFbugs,
	112	- TestOutputFormat, Doctests)
	113	+ TestOutputFormat, TestJunkAPIs)
	114
	115	if __name__ == '__main__':
	116	test_main()
	117	diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
	118	index 23d6887..d214375 100644
	119	--- a/Lib/test/test_poplib.py
	120	+++ b/Lib/test/test_poplib.py
	121	@@ -211,6 +211,16 @@ class TestPOP3Class(TestCase):
	122	def test_rpop(self):
	123	self.assertOK(self.client.rpop('foo'))
	124
	125	+ def test_apop_REDOS(self):
	126	+ # Replace welcome with very long evil welcome.
	127	+ # NB The upper bound on welcome length is currently 2048.
	128	+ # At this length, evil input makes each apop call take
	129	+ # on the order of milliseconds instead of microseconds.
	130	+ evil_welcome = b'+OK' + (b'<' * 1000000)
	131	+ with test_support.swap_attr(self.client, 'welcome', evil_welcome):
	132	+ # The evil welcome is invalid, so apop should throw.
	133	+ self.assertRaises(poplib.error_proto, self.client.apop, 'a', 'kb')
	134	+
	135	def test_top(self):
	136	expected = ('+OK 116 bytes',
	137	['From: postmaster@python.org', 'Content-Type: text/plain',
	138	diff --git a/Misc/ACKS b/Misc/ACKS
	139	index 9cbc230..952d6dd 100644
	140	--- a/Misc/ACKS
	141	+++ b/Misc/ACKS
	142	@@ -314,6 +314,7 @@ Kushal Das
	143	Jonathan Dasteel
	144	Pierre-Yves David
	145	A. Jesse Jiryu Davis
	146	+Jamie (James C.) Davis
	147	Merlijn van Deen
	148	John DeGood
	149	Ned Deily
	150	diff --git a/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
	151	new file mode 100644
	152	index 0000000..9ebabb4
	153	--- /dev/null
	154	+++ b/Misc/NEWS.d/next/Security/2018-03-02-10-24-52.bpo-32981.O_qDyj.rst
	155	@@ -0,0 +1,4 @@
	156	+Regexes in difflib and poplib were vulnerable to catastrophic backtracking.
	157	+These regexes formed potential DOS vectors (REDOS). They have been
	158	+refactored. This resolves CVE-2018-1060 and CVE-2018-1061.
	159	+Patch by Jamie Davis.
	160
	161


diff --git a/recipes-devtools/python/python_2.7.13.bbappend b/recipes-devtools/python/python_2.7.13.bbappend new file mode 100644 index 0000000..d7ec5e2 --- /dev/null +++ b/recipes-devtools/python/python_2.7.13.bbappend
@@ -0,0 +1,7 @@
	1	# look for files in the layer first
	2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
	3
	4	SRC_URI += " \
	5	file://CVE-2017-1000158-2.7-bpo-30657-Check-prevent-integer-overflow-in-PySt.patch \
	6	file://CVE-2018-1060-CVE-2018-1061-2.7-bpo-32981-Fix-catastrophic-backtracking-vulns-GH.patch \
	7	"