perl: fix for CVE-2010-4777

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4777 (From OE-Core rev: 368df9f13ddf124e6aaaec06c02ab698c9e0b6c3) Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: yanjun.zhu <yanjun.zhu@windriver.com> 2014-05-20 09:27:47 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-05-27 16:11:54 +0100
commit: 284a9b5f6bd35fec5db8854ca1c8af52e02a1542 (patch)
tree: 28376807016a4c00cbfcc4a894d6753f61770e0a /meta/recipes-devtools/perl/perl-5.14.3
parent: c8645caf56228da1bd4f448dbf90066911a1c59d (diff)
download: poky-284a9b5f6bd35fec5db8854ca1c8af52e02a1542.tar.gz
1 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
new file mode 100644
index 0000000000..e0dcf412bb
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
@@ -0,0 +1,45 @@
+perl:fix for CVE-2010-4777
+Upstream-Status: Backport
+    
+The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0,
+5.14.0, and other versions, when running with debugging enabled,
+allows context-dependent attackers to cause a denial of service
+(assertion failure and application exit) via crafted input that
+is not properly handled when using certain regular expressions,
+as demonstrated by causing SpamAssassin and OCSInventory to
+crash.
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4777
+Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
+--- a/regcomp.c
+++ b/regcomp.c
+@@ -11868,8 +11868,25 @@ Perl_save_re_context(pTHX)
+ 
+                if (gvp) {
+                    GV * const gv = *gvp;
+-                   if (SvTYPE(gv) == SVt_PVGV && GvSV(gv))
+-                       save_scalar(gv);
+                   if (SvTYPE(gv) == SVt_PVGV && GvSV(gv)) {
+                       /* this is a copy of save_scalar() without the GETMAGIC call, RT#76538 */
+                       SV ** const sptr = &GvSVn(gv);
+                       SV * osv = *sptr;
+                       SV * nsv = newSV(0);
+                       save_pushptrptr(SvREFCNT_inc_simple(gv),
+                       SvREFCNT_inc(osv), SAVEt_SV);
+                       if (SvTYPE(osv) >= SVt_PVMG && SvMAGIC(osv) &&
+                           SvTYPE(osv) != SVt_PVGV) {
+                           if (SvGMAGICAL(osv)) {
+                               const bool oldtainted = PL_tainted;
+                               SvFLAGS(osv) |= (SvFLAGS(osv) &
+                                   (SVp_IOK|SVp_NOK|SVp_POK)) >> PRIVSHIFT;
+                               PL_tainted = oldtainted;
+                           }
+                           mg_localize(osv, nsv, 1);
+                       }
+                       *sptr = nsv;
+                   }
+                }
+            }
+        }
author	yanjun.zhu <yanjun.zhu@windriver.com>	2014-05-20 09:27:47 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-05-27 16:11:54 +0100
commit	284a9b5f6bd35fec5db8854ca1c8af52e02a1542 (patch)
tree	28376807016a4c00cbfcc4a894d6753f61770e0a /meta/recipes-devtools/perl/perl-5.14.3
parent	c8645caf56228da1bd4f448dbf90066911a1c59d (diff)
download	poky-284a9b5f6bd35fec5db8854ca1c8af52e02a1542.tar.gz

diff --git a/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch new file mode 100644 index 0000000000..e0dcf412bb --- /dev/null +++ b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
@@ -0,0 +1,45 @@
	1	perl:fix for CVE-2010-4777
	2
	3	Upstream-Status: Backport
	4
	5	The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0,
	6	5.14.0, and other versions, when running with debugging enabled,
	7	allows context-dependent attackers to cause a denial of service
	8	(assertion failure and application exit) via crafted input that
	9	is not properly handled when using certain regular expressions,
	10	as demonstrated by causing SpamAssassin and OCSInventory to
	11	crash.
	12
	13	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4777
	14
	15	Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
	16	--- a/regcomp.c
	17	+++ b/regcomp.c
	18	@@ -11868,8 +11868,25 @@ Perl_save_re_context(pTHX)
	19
	20	if (gvp) {
	21	GV * const gv = *gvp;
	22	- if (SvTYPE(gv) == SVt_PVGV && GvSV(gv))
	23	- save_scalar(gv);
	24	+ if (SvTYPE(gv) == SVt_PVGV && GvSV(gv)) {
	25	+ /* this is a copy of save_scalar() without the GETMAGIC call, RT#76538 */
	26	+ SV ** const sptr = &GvSVn(gv);
	27	+ SV * osv = *sptr;
	28	+ SV * nsv = newSV(0);
	29	+ save_pushptrptr(SvREFCNT_inc_simple(gv),
	30	+ SvREFCNT_inc(osv), SAVEt_SV);
	31	+ if (SvTYPE(osv) >= SVt_PVMG && SvMAGIC(osv) &&
	32	+ SvTYPE(osv) != SVt_PVGV) {
	33	+ if (SvGMAGICAL(osv)) {
	34	+ const bool oldtainted = PL_tainted;
	35	+ SvFLAGS(osv) \|= (SvFLAGS(osv) &
	36	+ (SVp_IOK\|SVp_NOK\|SVp_POK)) >> PRIVSHIFT;
	37	+ PL_tainted = oldtainted;
	38	+ }
	39	+ mg_localize(osv, nsv, 1);
	40	+ }
	41	+ *sptr = nsv;
	42	+ }
	43	}
	44	}
	45	}