summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2016-07-14 16:53:08 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-09-23 15:27:06 +0100
commit2561b58ac8131325c3e0248ad4a6533b1dd1b032 (patch)
treee7918007b5e4af26312e322b4806d9facdf64666
parent9e14b83fa42310ef66b9cbcc299ed1ef2e3011d8 (diff)
downloadpoky-2561b58ac8131325c3e0248ad4a6533b1dd1b032.tar.gz
perl: fix CVE-2016-2381
Backport patch to fix CVE-2016-2381 from perl upstream: http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076 (From OE-Core rev: 07ca8a0131f43e9cc2f720e1cdbcb7ba7c074886) (From OE-Core rev: 9f90044241cfe7910e707d97c966ee7d88883c26) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch113
-rw-r--r--meta/recipes-devtools/perl/perl_5.22.1.bb1
2 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch
new file mode 100644
index 0000000000..0033ae0f63
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch
@@ -0,0 +1,113 @@
1Upstream-Status: Backport
2
3Backport patch to fix CVE-2016-2381 from
4
5http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076
6
7Signed-off-by: Kai Kang <kai.kang@windriver.com>
8---
9From: Tony Cook <tony@develop-help.com>
10Date: Wed, 27 Jan 2016 00:52:15 +0000 (+1100)
11Subject: remove duplicate environment variables from environ
12X-Git-Tag: v5.23.9~170
13X-Git-Url: http://perl5.git.perl.org/perl.git/commitdiff_plain/ae37b791a73a9e78dedb89fb2429d2628cf58076
14
15remove duplicate environment variables from environ
16
17If we see duplicate environment variables while iterating over
18environ[]:
19
20a) make sure we use the same value in %ENV that getenv() returns.
21
22Previously on a duplicate, %ENV would have the last entry for the name
23from environ[], but a typical getenv() would return the first entry.
24
25Rather than assuming all getenv() implementations return the first entry
26explicitly call getenv() to ensure they agree.
27
28b) remove duplicate entries from environ
29
30Previously if there was a duplicate definition for a name in environ[]
31setting that name in %ENV could result in an unsafe value being passed
32to a child process, so ensure environ[] has no duplicates.
33
34CVE-2016-2381
35---
36
37diff --git a/perl.c b/perl.c
38index 4a324c6..5c71fd0 100644
39--- a/perl.c
40+++ b/perl.c
41@@ -4329,23 +4329,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env)
42 }
43 if (env) {
44 char *s, *old_var;
45+ STRLEN nlen;
46 SV *sv;
47+ HV *dups = newHV();
48+
49 for (; *env; env++) {
50 old_var = *env;
51
52 if (!(s = strchr(old_var,'=')) || s == old_var)
53 continue;
54+ nlen = s - old_var;
55
56 #if defined(MSDOS) && !defined(DJGPP)
57 *s = '\0';
58 (void)strupr(old_var);
59 *s = '=';
60 #endif
61- sv = newSVpv(s+1, 0);
62- (void)hv_store(hv, old_var, s - old_var, sv, 0);
63+ if (hv_exists(hv, old_var, nlen)) {
64+ const char *name = savepvn(old_var, nlen);
65+
66+ /* make sure we use the same value as getenv(), otherwise code that
67+ uses getenv() (like setlocale()) might see a different value to %ENV
68+ */
69+ sv = newSVpv(PerlEnv_getenv(name), 0);
70+
71+ /* keep a count of the dups of this name so we can de-dup environ later */
72+ if (hv_exists(dups, name, nlen))
73+ ++SvIVX(*hv_fetch(dups, name, nlen, 0));
74+ else
75+ (void)hv_store(dups, name, nlen, newSViv(1), 0);
76+
77+ Safefree(name);
78+ }
79+ else {
80+ sv = newSVpv(s+1, 0);
81+ }
82+ (void)hv_store(hv, old_var, nlen, sv, 0);
83 if (env_is_not_environ)
84 mg_set(sv);
85 }
86+ if (HvKEYS(dups)) {
87+ /* environ has some duplicate definitions, remove them */
88+ HE *entry;
89+ hv_iterinit(dups);
90+ while ((entry = hv_iternext_flags(dups, 0))) {
91+ STRLEN nlen;
92+ const char *name = HePV(entry, nlen);
93+ IV count = SvIV(HeVAL(entry));
94+ IV i;
95+ SV **valp = hv_fetch(hv, name, nlen, 0);
96+
97+ assert(valp);
98+
99+ /* try to remove any duplicate names, depending on the
100+ * implementation used in my_setenv() the iteration might
101+ * not be necessary, but let's be safe.
102+ */
103+ for (i = 0; i < count; ++i)
104+ my_setenv(name, 0);
105+
106+ /* and set it back to the value we set $ENV{name} to */
107+ my_setenv(name, SvPV_nolen(*valp));
108+ }
109+ }
110+ SvREFCNT_dec_NN(dups);
111 }
112 #endif /* USE_ENVIRON_ARRAY */
113 #endif /* !PERL_MICRO */
diff --git a/meta/recipes-devtools/perl/perl_5.22.1.bb b/meta/recipes-devtools/perl/perl_5.22.1.bb
index 676f82093e..5aab9d55ed 100644
--- a/meta/recipes-devtools/perl/perl_5.22.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.22.1.bb
@@ -65,6 +65,7 @@ SRC_URI += " \
65 file://perl-errno-generation-gcc5.patch \ 65 file://perl-errno-generation-gcc5.patch \
66 file://perl-fix-conflict-between-skip_all-and-END.patch \ 66 file://perl-fix-conflict-between-skip_all-and-END.patch \
67 file://perl-test-customized.patch \ 67 file://perl-test-customized.patch \
68 file://perl-fix-CVE-2016-2381.patch \
68" 69"
69 70
70# Fix test case issues 71# Fix test case issues