perl: fix CVE-2015-8607

Backport patch to fix CVE-2015-8607 from perl upstream: http://perl5.git.perl.org/perl.git/commitdiff/0b6f93036de171c12ba95d415e264d9cf7f4e1fd (From OE-Core rev: e2289647ace9ef96e6a7e4aae201fd9149e56678) (From OE-Core rev: d0451b2ed92867a0a2c37baded45cff997739153) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> fixed up to apply to 5.22.0 Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Mingli Yu <Mingli.Yu@windriver.com> 2016-09-21 17:47:32 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-10-06 08:51:17 +0100
commit: 84997c7f212ec63f7368707354f16c74cecf9e1a (patch)
tree: 9bc8e3e628ad73979fa90c71a7c9165e94ce3e40
parent: e26f842287026e70ac0f3b2f6ef1ff447243274a (diff)
download: poky-84997c7f212ec63f7368707354f16c74cecf9e1a.tar.gz
2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch
new file mode 100644
index 0000000000..7b4a0015cb
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch
@@ -0,0 +1,74 @@
+From 652c8d4852a69f1bb4d387946f9b76350a1f0d0e Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 15 Dec 2015 10:56:54 +1100
+Subject: [PATCH] perl: fix CVE-2015-8607
+ensure File::Spec::canonpath() preserves taint
+Previously the unix specific XS implementation of canonpath() would
+return an untainted path when supplied a tainted path.
+For the empty string case, newSVpvs() already sets taint as needed on
+its result.
+This issue was assigned CVE-2015-8607.  [perl #126862]
+Backport patch from http://perl5.git.perl.org/perl.git/commitdiff/0b6f93036de171c12ba95d415e264d9cf7f4e1fd
+Upstream-Status: Backport
+CVE: CVE-2015-8607
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ dist/PathTools/Cwd.xs    |  1 +
+ dist/PathTools/t/taint.t | 19 ++++++++++++++++++-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs
+index 9d4dcf0..3d018dc 100644
+--- a/dist/PathTools/Cwd.xs
+++ b/dist/PathTools/Cwd.xs
+@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path)
+     *o = 0;
+     SvPOK_on(retval);
+     SvCUR_set(retval, o - SvPVX(retval));
+    SvTAINT(retval);
+     return retval;
+ }
+ 
+diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t
+index 309b3e5..48f8c5b 100644
+--- a/dist/PathTools/t/taint.t
+++ b/dist/PathTools/t/taint.t
+@@ -12,7 +12,7 @@ use Test::More;
+ BEGIN {
+     plan(
+         ${^TAINT}
+-        ? (tests => 17)
+        ? (tests => 21)
+         : (skip_all => "A perl without taint support")
+     );
+ }
+@@ -34,3 +34,20 @@ foreach my $func (@Functions) {
+ 
+ # Previous versions of Cwd tainted $^O
+ is !tainted($^O), 1, "\$^O should not be tainted";
+
+{
+    # [perl #126862] canonpath() loses taint
+    my $tainted = substr($ENV{PATH}, 0, 0);
+    # yes, getcwd()'s result should be tainted, and is tested above
+    # but be sure
+    ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)),
+        "canonpath() keeps taint on non-empty string";
+    ok tainted(File::Spec->canonpath($tainted)),
+        "canonpath() keeps taint on empty string";
+
+    (Cwd::getcwd() =~ /^(.*)/);
+    my $untainted = $1;
+    ok !tainted($untainted), "make sure our untainted value is untainted";
+    ok !tainted(File::Spec->canonpath($untainted)),
+        "canonpath() doesn't add taint to untainted string";
+}
+-- 
+2.8.1
diff --git a/meta/recipes-devtools/perl/perl_5.22.0.bb b/meta/recipes-devtools/perl/perl_5.22.0.bb
index 08159b106f..ff82b80e66 100644
--- a/meta/recipes-devtools/perl/perl_5.22.0.bb
+++ b/meta/recipes-devtools/perl/perl_5.22.0.bb
@@ -36,6 +36,7 @@ SRC_URI += " \
        file://debian/regen-skip.diff \
        file://perl-fix-CVE-2016-2381.patch \
        file://perl-fix-CVE-2016-6185.patch \
+        file://perl-fix-CVE-2015-8607.patch \
 "
 SRC_URI += " \
author	Mingli Yu <Mingli.Yu@windriver.com>	2016-09-21 17:47:32 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-10-06 08:51:17 +0100
commit	84997c7f212ec63f7368707354f16c74cecf9e1a (patch)
tree	9bc8e3e628ad73979fa90c71a7c9165e94ce3e40
parent	e26f842287026e70ac0f3b2f6ef1ff447243274a (diff)
download	poky-84997c7f212ec63f7368707354f16c74cecf9e1a.tar.gz

diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch new file mode 100644 index 0000000000..7b4a0015cb --- /dev/null +++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch
@@ -0,0 +1,74 @@
		1	From 652c8d4852a69f1bb4d387946f9b76350a1f0d0e Mon Sep 17 00:00:00 2001
		2	From: Tony Cook <tony@develop-help.com>
		3	Date: Tue, 15 Dec 2015 10:56:54 +1100
		4	Subject: [PATCH] perl: fix CVE-2015-8607
		5
		6	ensure File::Spec::canonpath() preserves taint
		7
		8	Previously the unix specific XS implementation of canonpath() would
		9	return an untainted path when supplied a tainted path.
		10
		11	For the empty string case, newSVpvs() already sets taint as needed on
		12	its result.
		13
		14	This issue was assigned CVE-2015-8607. [perl #126862]
		15
		16	Backport patch from http://perl5.git.perl.org/perl.git/commitdiff/0b6f93036de171c12ba95d415e264d9cf7f4e1fd
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2015-8607
		20	Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
		21	---
		22	dist/PathTools/Cwd.xs \| 1 +
		23	dist/PathTools/t/taint.t \| 19 ++++++++++++++++++-
		24	2 files changed, 19 insertions(+), 1 deletion(-)
		25
		26	diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs
		27	index 9d4dcf0..3d018dc 100644
		28	--- a/dist/PathTools/Cwd.xs
		29	+++ b/dist/PathTools/Cwd.xs
		30	@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path)
		31	*o = 0;
		32	SvPOK_on(retval);
		33	SvCUR_set(retval, o - SvPVX(retval));
		34	+ SvTAINT(retval);
		35	return retval;
		36	}
		37
		38	diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t
		39	index 309b3e5..48f8c5b 100644
		40	--- a/dist/PathTools/t/taint.t
		41	+++ b/dist/PathTools/t/taint.t
		42	@@ -12,7 +12,7 @@ use Test::More;
		43	BEGIN {
		44	plan(
		45	${^TAINT}
		46	- ? (tests => 17)
		47	+ ? (tests => 21)
		48	: (skip_all => "A perl without taint support")
		49	);
		50	}
		51	@@ -34,3 +34,20 @@ foreach my $func (@Functions) {
		52
		53	# Previous versions of Cwd tainted $^O
		54	is !tainted($^O), 1, "\$^O should not be tainted";
		55	+
		56	+{
		57	+ # [perl #126862] canonpath() loses taint
		58	+ my $tainted = substr($ENV{PATH}, 0, 0);
		59	+ # yes, getcwd()'s result should be tainted, and is tested above
		60	+ # but be sure
		61	+ ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)),
		62	+ "canonpath() keeps taint on non-empty string";
		63	+ ok tainted(File::Spec->canonpath($tainted)),
		64	+ "canonpath() keeps taint on empty string";
		65	+
		66	+ (Cwd::getcwd() =~ /^(.*)/);
		67	+ my $untainted = $1;
		68	+ ok !tainted($untainted), "make sure our untainted value is untainted";
		69	+ ok !tainted(File::Spec->canonpath($untainted)),
		70	+ "canonpath() doesn't add taint to untainted string";
		71	+}
		72	--
		73	2.8.1
		74


diff --git a/meta/recipes-devtools/perl/perl_5.22.0.bb b/meta/recipes-devtools/perl/perl_5.22.0.bb index 08159b106f..ff82b80e66 100644 --- a/meta/recipes-devtools/perl/perl_5.22.0.bb +++ b/meta/recipes-devtools/perl/perl_5.22.0.bb
@@ -36,6 +36,7 @@ SRC_URI += " \
36	file://debian/regen-skip.diff \	36	file://debian/regen-skip.diff \
37	file://perl-fix-CVE-2016-2381.patch \	37	file://perl-fix-CVE-2016-2381.patch \
38	file://perl-fix-CVE-2016-6185.patch \	38	file://perl-fix-CVE-2016-6185.patch \
		39	file://perl-fix-CVE-2015-8607.patch \
39	"	40	"
40		41
41	SRC_URI += " \	42	SRC_URI += " \