diff options
author | Kai Kang <kai.kang@windriver.com> | 2016-07-14 16:53:08 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-09-23 15:27:06 +0100 |
commit | 2561b58ac8131325c3e0248ad4a6533b1dd1b032 (patch) | |
tree | e7918007b5e4af26312e322b4806d9facdf64666 | |
parent | 9e14b83fa42310ef66b9cbcc299ed1ef2e3011d8 (diff) | |
download | poky-2561b58ac8131325c3e0248ad4a6533b1dd1b032.tar.gz |
perl: fix CVE-2016-2381
Backport patch to fix CVE-2016-2381 from perl upstream:
http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076
(From OE-Core rev: 07ca8a0131f43e9cc2f720e1cdbcb7ba7c074886)
(From OE-Core rev: 9f90044241cfe7910e707d97c966ee7d88883c26)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch | 113 | ||||
-rw-r--r-- | meta/recipes-devtools/perl/perl_5.22.1.bb | 1 |
2 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch new file mode 100644 index 0000000000..0033ae0f63 --- /dev/null +++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch | |||
@@ -0,0 +1,113 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | Backport patch to fix CVE-2016-2381 from | ||
4 | |||
5 | http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076 | ||
6 | |||
7 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
8 | --- | ||
9 | From: Tony Cook <tony@develop-help.com> | ||
10 | Date: Wed, 27 Jan 2016 00:52:15 +0000 (+1100) | ||
11 | Subject: remove duplicate environment variables from environ | ||
12 | X-Git-Tag: v5.23.9~170 | ||
13 | X-Git-Url: http://perl5.git.perl.org/perl.git/commitdiff_plain/ae37b791a73a9e78dedb89fb2429d2628cf58076 | ||
14 | |||
15 | remove duplicate environment variables from environ | ||
16 | |||
17 | If we see duplicate environment variables while iterating over | ||
18 | environ[]: | ||
19 | |||
20 | a) make sure we use the same value in %ENV that getenv() returns. | ||
21 | |||
22 | Previously on a duplicate, %ENV would have the last entry for the name | ||
23 | from environ[], but a typical getenv() would return the first entry. | ||
24 | |||
25 | Rather than assuming all getenv() implementations return the first entry | ||
26 | explicitly call getenv() to ensure they agree. | ||
27 | |||
28 | b) remove duplicate entries from environ | ||
29 | |||
30 | Previously if there was a duplicate definition for a name in environ[] | ||
31 | setting that name in %ENV could result in an unsafe value being passed | ||
32 | to a child process, so ensure environ[] has no duplicates. | ||
33 | |||
34 | CVE-2016-2381 | ||
35 | --- | ||
36 | |||
37 | diff --git a/perl.c b/perl.c | ||
38 | index 4a324c6..5c71fd0 100644 | ||
39 | --- a/perl.c | ||
40 | +++ b/perl.c | ||
41 | @@ -4329,23 +4329,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env) | ||
42 | } | ||
43 | if (env) { | ||
44 | char *s, *old_var; | ||
45 | + STRLEN nlen; | ||
46 | SV *sv; | ||
47 | + HV *dups = newHV(); | ||
48 | + | ||
49 | for (; *env; env++) { | ||
50 | old_var = *env; | ||
51 | |||
52 | if (!(s = strchr(old_var,'=')) || s == old_var) | ||
53 | continue; | ||
54 | + nlen = s - old_var; | ||
55 | |||
56 | #if defined(MSDOS) && !defined(DJGPP) | ||
57 | *s = '\0'; | ||
58 | (void)strupr(old_var); | ||
59 | *s = '='; | ||
60 | #endif | ||
61 | - sv = newSVpv(s+1, 0); | ||
62 | - (void)hv_store(hv, old_var, s - old_var, sv, 0); | ||
63 | + if (hv_exists(hv, old_var, nlen)) { | ||
64 | + const char *name = savepvn(old_var, nlen); | ||
65 | + | ||
66 | + /* make sure we use the same value as getenv(), otherwise code that | ||
67 | + uses getenv() (like setlocale()) might see a different value to %ENV | ||
68 | + */ | ||
69 | + sv = newSVpv(PerlEnv_getenv(name), 0); | ||
70 | + | ||
71 | + /* keep a count of the dups of this name so we can de-dup environ later */ | ||
72 | + if (hv_exists(dups, name, nlen)) | ||
73 | + ++SvIVX(*hv_fetch(dups, name, nlen, 0)); | ||
74 | + else | ||
75 | + (void)hv_store(dups, name, nlen, newSViv(1), 0); | ||
76 | + | ||
77 | + Safefree(name); | ||
78 | + } | ||
79 | + else { | ||
80 | + sv = newSVpv(s+1, 0); | ||
81 | + } | ||
82 | + (void)hv_store(hv, old_var, nlen, sv, 0); | ||
83 | if (env_is_not_environ) | ||
84 | mg_set(sv); | ||
85 | } | ||
86 | + if (HvKEYS(dups)) { | ||
87 | + /* environ has some duplicate definitions, remove them */ | ||
88 | + HE *entry; | ||
89 | + hv_iterinit(dups); | ||
90 | + while ((entry = hv_iternext_flags(dups, 0))) { | ||
91 | + STRLEN nlen; | ||
92 | + const char *name = HePV(entry, nlen); | ||
93 | + IV count = SvIV(HeVAL(entry)); | ||
94 | + IV i; | ||
95 | + SV **valp = hv_fetch(hv, name, nlen, 0); | ||
96 | + | ||
97 | + assert(valp); | ||
98 | + | ||
99 | + /* try to remove any duplicate names, depending on the | ||
100 | + * implementation used in my_setenv() the iteration might | ||
101 | + * not be necessary, but let's be safe. | ||
102 | + */ | ||
103 | + for (i = 0; i < count; ++i) | ||
104 | + my_setenv(name, 0); | ||
105 | + | ||
106 | + /* and set it back to the value we set $ENV{name} to */ | ||
107 | + my_setenv(name, SvPV_nolen(*valp)); | ||
108 | + } | ||
109 | + } | ||
110 | + SvREFCNT_dec_NN(dups); | ||
111 | } | ||
112 | #endif /* USE_ENVIRON_ARRAY */ | ||
113 | #endif /* !PERL_MICRO */ | ||
diff --git a/meta/recipes-devtools/perl/perl_5.22.1.bb b/meta/recipes-devtools/perl/perl_5.22.1.bb index 676f82093e..5aab9d55ed 100644 --- a/meta/recipes-devtools/perl/perl_5.22.1.bb +++ b/meta/recipes-devtools/perl/perl_5.22.1.bb | |||
@@ -65,6 +65,7 @@ SRC_URI += " \ | |||
65 | file://perl-errno-generation-gcc5.patch \ | 65 | file://perl-errno-generation-gcc5.patch \ |
66 | file://perl-fix-conflict-between-skip_all-and-END.patch \ | 66 | file://perl-fix-conflict-between-skip_all-and-END.patch \ |
67 | file://perl-test-customized.patch \ | 67 | file://perl-test-customized.patch \ |
68 | file://perl-fix-CVE-2016-2381.patch \ | ||
68 | " | 69 | " |
69 | 70 | ||
70 | # Fix test case issues | 71 | # Fix test case issues |