summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2016-07-14 08:53:08 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-10-06 07:51:17 (GMT)
commit2b8ab746bafd3467bbcb94a6a29eb623028f3a71 (patch)
tree8c532f84055842ebb3306dfe962e0c7f9a870bf1
parentb4362e09559eca94c522c4058ac0bd6bca5066c9 (diff)
downloadpoky-2b8ab746bafd3467bbcb94a6a29eb623028f3a71.tar.gz
perl: fix CVE-2016-2381
Backport patch to fix CVE-2016-2381 from perl upstream: http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076 (From OE-Core rev: 07ca8a0131f43e9cc2f720e1cdbcb7ba7c074886) (From OE-Core rev: 30b33f5ad1d7a7c55620598427009bd27cfb3d42) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Fixed up to apply again 5.22.0 Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch113
-rw-r--r--meta/recipes-devtools/perl/perl_5.22.0.bb1
2 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch
new file mode 100644
index 0000000..0033ae0
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch
@@ -0,0 +1,113 @@
1Upstream-Status: Backport
2
3Backport patch to fix CVE-2016-2381 from
4
5http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076
6
7Signed-off-by: Kai Kang <kai.kang@windriver.com>
8---
9From: Tony Cook <tony@develop-help.com>
10Date: Wed, 27 Jan 2016 00:52:15 +0000 (+1100)
11Subject: remove duplicate environment variables from environ
12X-Git-Tag: v5.23.9~170
13X-Git-Url: http://perl5.git.perl.org/perl.git/commitdiff_plain/ae37b791a73a9e78dedb89fb2429d2628cf58076
14
15remove duplicate environment variables from environ
16
17If we see duplicate environment variables while iterating over
18environ[]:
19
20a) make sure we use the same value in %ENV that getenv() returns.
21
22Previously on a duplicate, %ENV would have the last entry for the name
23from environ[], but a typical getenv() would return the first entry.
24
25Rather than assuming all getenv() implementations return the first entry
26explicitly call getenv() to ensure they agree.
27
28b) remove duplicate entries from environ
29
30Previously if there was a duplicate definition for a name in environ[]
31setting that name in %ENV could result in an unsafe value being passed
32to a child process, so ensure environ[] has no duplicates.
33
34CVE-2016-2381
35---
36
37diff --git a/perl.c b/perl.c
38index 4a324c6..5c71fd0 100644
39--- a/perl.c
40+++ b/perl.c
41@@ -4329,23 +4329,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env)
42 }
43 if (env) {
44 char *s, *old_var;
45+ STRLEN nlen;
46 SV *sv;
47+ HV *dups = newHV();
48+
49 for (; *env; env++) {
50 old_var = *env;
51
52 if (!(s = strchr(old_var,'=')) || s == old_var)
53 continue;
54+ nlen = s - old_var;
55
56 #if defined(MSDOS) && !defined(DJGPP)
57 *s = '\0';
58 (void)strupr(old_var);
59 *s = '=';
60 #endif
61- sv = newSVpv(s+1, 0);
62- (void)hv_store(hv, old_var, s - old_var, sv, 0);
63+ if (hv_exists(hv, old_var, nlen)) {
64+ const char *name = savepvn(old_var, nlen);
65+
66+ /* make sure we use the same value as getenv(), otherwise code that
67+ uses getenv() (like setlocale()) might see a different value to %ENV
68+ */
69+ sv = newSVpv(PerlEnv_getenv(name), 0);
70+
71+ /* keep a count of the dups of this name so we can de-dup environ later */
72+ if (hv_exists(dups, name, nlen))
73+ ++SvIVX(*hv_fetch(dups, name, nlen, 0));
74+ else
75+ (void)hv_store(dups, name, nlen, newSViv(1), 0);
76+
77+ Safefree(name);
78+ }
79+ else {
80+ sv = newSVpv(s+1, 0);
81+ }
82+ (void)hv_store(hv, old_var, nlen, sv, 0);
83 if (env_is_not_environ)
84 mg_set(sv);
85 }
86+ if (HvKEYS(dups)) {
87+ /* environ has some duplicate definitions, remove them */
88+ HE *entry;
89+ hv_iterinit(dups);
90+ while ((entry = hv_iternext_flags(dups, 0))) {
91+ STRLEN nlen;
92+ const char *name = HePV(entry, nlen);
93+ IV count = SvIV(HeVAL(entry));
94+ IV i;
95+ SV **valp = hv_fetch(hv, name, nlen, 0);
96+
97+ assert(valp);
98+
99+ /* try to remove any duplicate names, depending on the
100+ * implementation used in my_setenv() the iteration might
101+ * not be necessary, but let's be safe.
102+ */
103+ for (i = 0; i < count; ++i)
104+ my_setenv(name, 0);
105+
106+ /* and set it back to the value we set $ENV{name} to */
107+ my_setenv(name, SvPV_nolen(*valp));
108+ }
109+ }
110+ SvREFCNT_dec_NN(dups);
111 }
112 #endif /* USE_ENVIRON_ARRAY */
113 #endif /* !PERL_MICRO */
diff --git a/meta/recipes-devtools/perl/perl_5.22.0.bb b/meta/recipes-devtools/perl/perl_5.22.0.bb
index 9df8d04..27d0d5d 100644
--- a/meta/recipes-devtools/perl/perl_5.22.0.bb
+++ b/meta/recipes-devtools/perl/perl_5.22.0.bb
@@ -34,6 +34,7 @@ SRC_URI += " \
34 file://debian/cpan-missing-site-dirs.diff \ 34 file://debian/cpan-missing-site-dirs.diff \
35 file://debian/fixes/memoize_storable_nstore.diff \ 35 file://debian/fixes/memoize_storable_nstore.diff \
36 file://debian/regen-skip.diff \ 36 file://debian/regen-skip.diff \
37 file://perl-fix-CVE-2016-2381.patch \
37" 38"
38 39
39SRC_URI += " \ 40SRC_URI += " \