perl: fix CVE-2020-10543 & CVE-2020-10878

(From OE-Core rev: d9c5d9c52eb1f03ff9c907a76dda31042fb26edb) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2020-06-15 20:15:33 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-07-02 16:12:36 +0100
commit: 57b40bdd5431e10e46c255080e507fa02c838690 (patch)
tree: ddf6058af6d99199e291252e457e1b8589ea8a53 /meta/recipes-devtools
parent: 4ff643079369540b40b029af067d3798a0798b8e (diff)
download: poky-57b40bdd5431e10e46c255080e507fa02c838690.tar.gz
4 files changed, 227 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/files/CVE-2020-10543.patch b/meta/recipes-devtools/perl/files/CVE-2020-10543.patch
new file mode 100644
index 0000000000..36dff0aac9
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2020-10543.patch
@@ -0,0 +1,36 @@
+From 897d1f7fd515b828e4b198d8b8bef76c6faf03ed Mon Sep 17 00:00:00 2001
+From: John Lightsey <jd@cpanel.net>
+Date: Wed, 20 Nov 2019 20:02:45 -0600
+Subject: [PATCH] regcomp.c: Prevent integer overflow from nested regex
+ quantifiers.
+(CVE-2020-10543) On 32bit systems the size calculations for nested regular
+expression quantifiers could overflow causing heap memory corruption.
+Fixes: Perl/perl5-security#125
+(cherry picked from commit bfd31397db5dc1a5c5d3e0a1f753a4f89a736e71)
+Upstream-Status: Backport [https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed] 
+CVE: CVE-2020-10543
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ regcomp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/regcomp.c b/regcomp.c
+index 93c8d98fbb0..5f86be8086d 100644
+--- a/regcomp.c
+++ b/regcomp.c
+@@ -5489,6 +5489,12 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+                                  RExC_precomp)));
+                 }
+ 
+                if ( ( minnext > 0 && mincount >= SSize_t_MAX / minnext )
+                    || min >= SSize_t_MAX - minnext * mincount )
+                {
+                    FAIL("Regexp out of space");
+                }
+
+                min += minnext * mincount;
+                is_inf_internal |= deltanext == SSize_t_MAX
+                          || (maxcount == REG_INFTY && minnext + deltanext > 0);
diff --git a/meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch b/meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch
new file mode 100644
index 0000000000..b86085a551
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch
@@ -0,0 +1,152 @@
+From 0a320d753fe7fca03df259a4dfd8e641e51edaa8 Mon Sep 17 00:00:00 2001
+From: Hugo van der Sanden <hv@crypt.org>
+Date: Tue, 18 Feb 2020 13:51:16 +0000
+Subject: [PATCH] study_chunk: extract rck_elide_nothing
+(CVE-2020-10878)
+(cherry picked from commit 93dee06613d4e1428fb10905ce1c3c96f53113dc)
+Upstream-Status: Backport [https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8] 
+CVE: CVE-2020-10878
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ embed.fnc |  1 +
+ embed.h   |  1 +
+ proto.h   |  3 +++
+ regcomp.c | 70 ++++++++++++++++++++++++++++++++++---------------------
+ 4 files changed, 48 insertions(+), 27 deletions(-)
+diff --git a/embed.fnc b/embed.fnc
+index aedb4baef19..d7cd04d3fc3 100644
+--- a/embed.fnc
+++ b/embed.fnc
+@@ -2481,6 +2481,7 @@ Es        |SSize_t|study_chunk    |NN RExC_state_t *pRExC_state \
+                                 |I32 stopparen|U32 recursed_depth \
+                                |NULLOK regnode_ssc *and_withp \
+                                |U32 flags|U32 depth
+Es     |void   |rck_elide_nothing|NN regnode *node
+ EsR    |SV *   |get_ANYOFM_contents|NN const regnode * n
+ EsRn   |U32    |add_data       |NN RExC_state_t* const pRExC_state \
+                                |NN const char* const s|const U32 n
+diff --git a/embed.h b/embed.h
+index 75c91f77f45..356a8b98d96 100644
+--- a/embed.h
+++ b/embed.h
+@@ -1208,6 +1208,7 @@
+ #define parse_lparen_question_flags(a) S_parse_lparen_question_flags(aTHX_ a)
+ #define parse_uniprop_string(a,b,c,d,e,f,g,h,i)        Perl_parse_uniprop_string(aTHX_ a,b,c,d,e,f,g,h,i)
+ #define populate_ANYOF_from_invlist(a,b)       S_populate_ANYOF_from_invlist(aTHX_ a,b)
+#define rck_elide_nothing(a)   S_rck_elide_nothing(aTHX_ a)
+ #define reg(a,b,c,d)           S_reg(aTHX_ a,b,c,d)
+ #define reg2Lanode(a,b,c,d)    S_reg2Lanode(aTHX_ a,b,c,d)
+ #define reg_node(a,b)          S_reg_node(aTHX_ a,b)
+diff --git a/proto.h b/proto.h
+index 141ddbaee6d..f316fe134e1 100644
+--- a/proto.h
+++ b/proto.h
+@@ -5543,6 +5543,9 @@ PERL_CALLCONV SV *        Perl_parse_uniprop_string(pTHX_ const char * const name, cons
+ STATIC void    S_populate_ANYOF_from_invlist(pTHX_ regnode *node, SV** invlist_ptr);
+ #define PERL_ARGS_ASSERT_POPULATE_ANYOF_FROM_INVLIST   \
+        assert(node); assert(invlist_ptr)
+STATIC void    S_rck_elide_nothing(pTHX_ regnode *node);
+#define PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING     \
+       assert(node)
+ PERL_STATIC_NO_RET void        S_re_croak2(pTHX_ bool utf8, const char* pat1, const char* pat2, ...)
+                        __attribute__noreturn__;
+ #define PERL_ARGS_ASSERT_RE_CROAK2     \
+diff --git a/regcomp.c b/regcomp.c
+index 5f86be8086d..4ba2980db66 100644
+--- a/regcomp.c
+++ b/regcomp.c
+@@ -4450,6 +4450,44 @@ S_unwind_scan_frames(pTHX_ const void *p)
+     } while (f);
+ }
+ 
+/* Follow the next-chain of the current node and optimize away
+   all the NOTHINGs from it.
+ */
+STATIC void
+S_rck_elide_nothing(pTHX_ regnode *node)
+{
+    dVAR;
+
+    PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING;
+
+    if (OP(node) != CURLYX) {
+        const int max = (reg_off_by_arg[OP(node)]
+                        ? I32_MAX
+                          /* I32 may be smaller than U16 on CRAYs! */
+                        : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX));
+        int off = (reg_off_by_arg[OP(node)] ? ARG(node) : NEXT_OFF(node));
+        int noff;
+        regnode *n = node;
+
+        /* Skip NOTHING and LONGJMP. */
+        while (
+            (n = regnext(n))
+            && (
+                (PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n)))
+                || ((OP(n) == LONGJMP) && (noff = ARG(n)))
+            )
+            && off + noff < max
+        ) {
+            off += noff;
+        }
+        if (reg_off_by_arg[OP(node)])
+            ARG(node) = off;
+        else
+            NEXT_OFF(node) = off;
+    }
+    return;
+}
+
+ /* the return from this sub is the minimum length that could possibly match */
+ STATIC SSize_t
+ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+@@ -4550,28 +4588,10 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
+          */
+         JOIN_EXACT(scan,&min_subtract, &unfolded_multi_char, 0);
+ 
+-       /* Follow the next-chain of the current node and optimize
+-          away all the NOTHINGs from it.  */
+-       if (OP(scan) != CURLYX) {
+-           const int max = (reg_off_by_arg[OP(scan)]
+-                      ? I32_MAX
+-                      /* I32 may be smaller than U16 on CRAYs! */
+-                      : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX));
+-           int off = (reg_off_by_arg[OP(scan)] ? ARG(scan) : NEXT_OFF(scan));
+-           int noff;
+-           regnode *n = scan;
+-
+-           /* Skip NOTHING and LONGJMP. */
+-           while ((n = regnext(n))
+-                  && ((PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n)))
+-                      || ((OP(n) == LONGJMP) && (noff = ARG(n))))
+-                  && off + noff < max)
+-               off += noff;
+-           if (reg_off_by_arg[OP(scan)])
+-               ARG(scan) = off;
+-           else
+-               NEXT_OFF(scan) = off;
+-       }
+        /* Follow the next-chain of the current node and optimize
+           away all the NOTHINGs from it.
+         */
+        rck_elide_nothing(scan);
+ 
+        /* The principal pseudo-switch.  Cannot be a switch, since we
+           look into several different things.  */
+@@ -5745,11 +5765,7 @@ Perl_re_printf( aTHX_  "LHS=%" UVuf " RHS=%" UVuf "\n",
+                if (data && (fl & SF_HAS_EVAL))
+                    data->flags |= SF_HAS_EVAL;
+              optimize_curly_tail:
+-               if (OP(oscan) != CURLYX) {
+-                   while (PL_regkind[OP(next = regnext(oscan))] == NOTHING
+-                          && NEXT_OFF(next))
+-                       NEXT_OFF(oscan) += NEXT_OFF(next);
+-               }
+               rck_elide_nothing(oscan);
+                continue;
+ 
+            default:
diff --git a/meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch b/meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch
new file mode 100644
index 0000000000..0bacd6b192
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch
@@ -0,0 +1,36 @@
+From 3295b48defa0f8570114877b063fe546dd348b3c Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Thu, 20 Feb 2020 17:49:36 +0000
+Subject: [PATCH] regcomp: use long jumps if there is any possibility of
+ overflow
+(CVE-2020-10878) Be conservative for backporting, we'll aim to do
+something more aggressive for bleadperl.
+(cherry picked from commit 9d7759db46f3b31b1d3f79c44266b6ba42a47fc6)
+Upstream-Status: Backport [https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c] 
+CVE: CVE-2020-10878
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ regcomp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/regcomp.c b/regcomp.c
+index 4ba2980db66..73c35a67020 100644
+--- a/regcomp.c
+++ b/regcomp.c
+@@ -7762,6 +7762,13 @@ Perl_re_op_compile(pTHX_ SV ** const patternp, int pat_count,
+ 
+         /* We have that number in RExC_npar */
+         RExC_total_parens = RExC_npar;
+
+        /* XXX For backporting, use long jumps if there is any possibility of
+         * overflow */
+        if (RExC_size > U16_MAX && ! RExC_use_BRANCHJ) {
+            RExC_use_BRANCHJ = TRUE;
+            flags |= RESTART_PARSE;
+        }
+     }
+     else if (! MUST_RESTART(flags)) {
+        ReREFCNT_dec(Rx);
diff --git a/meta/recipes-devtools/perl/perl_5.30.1.bb b/meta/recipes-devtools/perl/perl_5.30.1.bb
index 5f3a9eeeb3..47b2f9ca65 100644
--- a/meta/recipes-devtools/perl/perl_5.30.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.30.1.bb
@@ -24,6 +24,9 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
           file://0001-PATCH-perl-134117-Close-DATA-in-loc_tools.pl.patch \
           file://determinism.patch  \
           file://racefix.patch \
+           file://CVE-2020-10543.patch \
+           file://CVE-2020-10878_1.patch \
+           file://CVE-2020-10878_2.patch \
           "
 SRC_URI_append_class-native = " \
           file://perl-configpm-switch.patch \
author	Lee Chee Yang <chee.yang.lee@intel.com>	2020-06-15 20:15:33 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2020-07-02 16:12:36 +0100
commit	57b40bdd5431e10e46c255080e507fa02c838690 (patch)
tree	ddf6058af6d99199e291252e457e1b8589ea8a53 /meta/recipes-devtools
parent	4ff643079369540b40b029af067d3798a0798b8e (diff)
download	poky-57b40bdd5431e10e46c255080e507fa02c838690.tar.gz

diff --git a/meta/recipes-devtools/perl/files/CVE-2020-10543.patch b/meta/recipes-devtools/perl/files/CVE-2020-10543.patch new file mode 100644 index 0000000000..36dff0aac9 --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2020-10543.patch
@@ -0,0 +1,36 @@
		1	From 897d1f7fd515b828e4b198d8b8bef76c6faf03ed Mon Sep 17 00:00:00 2001
		2	From: John Lightsey <jd@cpanel.net>
		3	Date: Wed, 20 Nov 2019 20:02:45 -0600
		4	Subject: [PATCH] regcomp.c: Prevent integer overflow from nested regex
		5	quantifiers.
		6
		7	(CVE-2020-10543) On 32bit systems the size calculations for nested regular
		8	expression quantifiers could overflow causing heap memory corruption.
		9
		10	Fixes: Perl/perl5-security#125
		11	(cherry picked from commit bfd31397db5dc1a5c5d3e0a1f753a4f89a736e71)
		12
		13	Upstream-Status: Backport [https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed]
		14	CVE: CVE-2020-10543
		15	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		16	---
		17	regcomp.c \| 6 ++++++
		18	1 file changed, 6 insertions(+)
		19
		20	diff --git a/regcomp.c b/regcomp.c
		21	index 93c8d98fbb0..5f86be8086d 100644
		22	--- a/regcomp.c
		23	+++ b/regcomp.c
		24	@@ -5489,6 +5489,12 @@ S_study_chunk(pTHX_ RExC_state_t pRExC_state, regnode *scanp,
		25	RExC_precomp)));
		26	}
		27
		28	+ if ( ( minnext > 0 && mincount >= SSize_t_MAX / minnext )
		29	+ \|\| min >= SSize_t_MAX - minnext * mincount )
		30	+ {
		31	+ FAIL("Regexp out of space");
		32	+ }
		33	+
		34	min += minnext * mincount;
		35	is_inf_internal \|= deltanext == SSize_t_MAX
		36	\|\| (maxcount == REG_INFTY && minnext + deltanext > 0);


diff --git a/meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch b/meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch new file mode 100644 index 0000000000..b86085a551 --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch
@@ -0,0 +1,152 @@
		1	From 0a320d753fe7fca03df259a4dfd8e641e51edaa8 Mon Sep 17 00:00:00 2001
		2	From: Hugo van der Sanden <hv@crypt.org>
		3	Date: Tue, 18 Feb 2020 13:51:16 +0000
		4	Subject: [PATCH] study_chunk: extract rck_elide_nothing
		5
		6	(CVE-2020-10878)
		7
		8	(cherry picked from commit 93dee06613d4e1428fb10905ce1c3c96f53113dc)
		9
		10	Upstream-Status: Backport [https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8]
		11	CVE: CVE-2020-10878
		12	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		13	---
		14	embed.fnc \| 1 +
		15	embed.h \| 1 +
		16	proto.h \| 3 +++
		17	regcomp.c \| 70 ++++++++++++++++++++++++++++++++++---------------------
		18	4 files changed, 48 insertions(+), 27 deletions(-)
		19
		20	diff --git a/embed.fnc b/embed.fnc
		21	index aedb4baef19..d7cd04d3fc3 100644
		22	--- a/embed.fnc
		23	+++ b/embed.fnc
		24	@@ -2481,6 +2481,7 @@ Es \|SSize_t\|study_chunk \|NN RExC_state_t *pRExC_state \
		25	\|I32 stopparen\|U32 recursed_depth \
		26	\|NULLOK regnode_ssc *and_withp \
		27	\|U32 flags\|U32 depth
		28	+Es \|void \|rck_elide_nothing\|NN regnode *node
		29	EsR \|SV * \|get_ANYOFM_contents\|NN const regnode * n
		30	EsRn \|U32 \|add_data \|NN RExC_state_t* const pRExC_state \
		31	\|NN const char* const s\|const U32 n
		32	diff --git a/embed.h b/embed.h
		33	index 75c91f77f45..356a8b98d96 100644
		34	--- a/embed.h
		35	+++ b/embed.h
		36	@@ -1208,6 +1208,7 @@
		37	#define parse_lparen_question_flags(a) S_parse_lparen_question_flags(aTHX_ a)
		38	#define parse_uniprop_string(a,b,c,d,e,f,g,h,i) Perl_parse_uniprop_string(aTHX_ a,b,c,d,e,f,g,h,i)
		39	#define populate_ANYOF_from_invlist(a,b) S_populate_ANYOF_from_invlist(aTHX_ a,b)
		40	+#define rck_elide_nothing(a) S_rck_elide_nothing(aTHX_ a)
		41	#define reg(a,b,c,d) S_reg(aTHX_ a,b,c,d)
		42	#define reg2Lanode(a,b,c,d) S_reg2Lanode(aTHX_ a,b,c,d)
		43	#define reg_node(a,b) S_reg_node(aTHX_ a,b)
		44	diff --git a/proto.h b/proto.h
		45	index 141ddbaee6d..f316fe134e1 100644
		46	--- a/proto.h
		47	+++ b/proto.h
		48	@@ -5543,6 +5543,9 @@ PERL_CALLCONV SV * Perl_parse_uniprop_string(pTHX_ const char * const name, cons
		49	STATIC void S_populate_ANYOF_from_invlist(pTHX_ regnode node, SV* invlist_ptr);
		50	#define PERL_ARGS_ASSERT_POPULATE_ANYOF_FROM_INVLIST \
		51	assert(node); assert(invlist_ptr)
		52	+STATIC void S_rck_elide_nothing(pTHX_ regnode *node);
		53	+#define PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING \
		54	+ assert(node)
		55	PERL_STATIC_NO_RET void S_re_croak2(pTHX_ bool utf8, const char* pat1, const char* pat2, ...)
		56	__attribute__noreturn__;
		57	#define PERL_ARGS_ASSERT_RE_CROAK2 \
		58	diff --git a/regcomp.c b/regcomp.c
		59	index 5f86be8086d..4ba2980db66 100644
		60	--- a/regcomp.c
		61	+++ b/regcomp.c
		62	@@ -4450,6 +4450,44 @@ S_unwind_scan_frames(pTHX_ const void *p)
		63	} while (f);
		64	}
		65
		66	+/* Follow the next-chain of the current node and optimize away
		67	+ all the NOTHINGs from it.
		68	+ */
		69	+STATIC void
		70	+S_rck_elide_nothing(pTHX_ regnode *node)
		71	+{
		72	+ dVAR;
		73	+
		74	+ PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING;
		75	+
		76	+ if (OP(node) != CURLYX) {
		77	+ const int max = (reg_off_by_arg[OP(node)]
		78	+ ? I32_MAX
		79	+ /* I32 may be smaller than U16 on CRAYs! */
		80	+ : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX));
		81	+ int off = (reg_off_by_arg[OP(node)] ? ARG(node) : NEXT_OFF(node));
		82	+ int noff;
		83	+ regnode *n = node;
		84	+
		85	+ /* Skip NOTHING and LONGJMP. */
		86	+ while (
		87	+ (n = regnext(n))
		88	+ && (
		89	+ (PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n)))
		90	+ \|\| ((OP(n) == LONGJMP) && (noff = ARG(n)))
		91	+ )
		92	+ && off + noff < max
		93	+ ) {
		94	+ off += noff;
		95	+ }
		96	+ if (reg_off_by_arg[OP(node)])
		97	+ ARG(node) = off;
		98	+ else
		99	+ NEXT_OFF(node) = off;
		100	+ }
		101	+ return;
		102	+}
		103	+
		104	/* the return from this sub is the minimum length that could possibly match */
		105	STATIC SSize_t
		106	S_study_chunk(pTHX_ RExC_state_t pRExC_state, regnode *scanp,
		107	@@ -4550,28 +4588,10 @@ S_study_chunk(pTHX_ RExC_state_t pRExC_state, regnode *scanp,
		108	*/
		109	JOIN_EXACT(scan,&min_subtract, &unfolded_multi_char, 0);
		110
		111	- /* Follow the next-chain of the current node and optimize
		112	- away all the NOTHINGs from it. */
		113	- if (OP(scan) != CURLYX) {
		114	- const int max = (reg_off_by_arg[OP(scan)]
		115	- ? I32_MAX
		116	- /* I32 may be smaller than U16 on CRAYs! */
		117	- : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX));
		118	- int off = (reg_off_by_arg[OP(scan)] ? ARG(scan) : NEXT_OFF(scan));
		119	- int noff;
		120	- regnode *n = scan;
		121	-
		122	- /* Skip NOTHING and LONGJMP. */
		123	- while ((n = regnext(n))
		124	- && ((PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n)))
		125	- \|\| ((OP(n) == LONGJMP) && (noff = ARG(n))))
		126	- && off + noff < max)
		127	- off += noff;
		128	- if (reg_off_by_arg[OP(scan)])
		129	- ARG(scan) = off;
		130	- else
		131	- NEXT_OFF(scan) = off;
		132	- }
		133	+ /* Follow the next-chain of the current node and optimize
		134	+ away all the NOTHINGs from it.
		135	+ */
		136	+ rck_elide_nothing(scan);
		137
		138	/* The principal pseudo-switch. Cannot be a switch, since we
		139	look into several different things. */
		140	@@ -5745,11 +5765,7 @@ Perl_re_printf( aTHX_ "LHS=%" UVuf " RHS=%" UVuf "\n",
		141	if (data && (fl & SF_HAS_EVAL))
		142	data->flags \|= SF_HAS_EVAL;
		143	optimize_curly_tail:
		144	- if (OP(oscan) != CURLYX) {
		145	- while (PL_regkind[OP(next = regnext(oscan))] == NOTHING
		146	- && NEXT_OFF(next))
		147	- NEXT_OFF(oscan) += NEXT_OFF(next);
		148	- }
		149	+ rck_elide_nothing(oscan);
		150	continue;
		151
		152	default:


diff --git a/meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch b/meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch new file mode 100644 index 0000000000..0bacd6b192 --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch
@@ -0,0 +1,36 @@
		1	From 3295b48defa0f8570114877b063fe546dd348b3c Mon Sep 17 00:00:00 2001
		2	From: Karl Williamson <khw@cpan.org>
		3	Date: Thu, 20 Feb 2020 17:49:36 +0000
		4	Subject: [PATCH] regcomp: use long jumps if there is any possibility of
		5	overflow
		6
		7	(CVE-2020-10878) Be conservative for backporting, we'll aim to do
		8	something more aggressive for bleadperl.
		9
		10	(cherry picked from commit 9d7759db46f3b31b1d3f79c44266b6ba42a47fc6)
		11
		12	Upstream-Status: Backport [https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c]
		13	CVE: CVE-2020-10878
		14	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		15	---
		16	regcomp.c \| 7 +++++++
		17	1 file changed, 7 insertions(+)
		18
		19	diff --git a/regcomp.c b/regcomp.c
		20	index 4ba2980db66..73c35a67020 100644
		21	--- a/regcomp.c
		22	+++ b/regcomp.c
		23	@@ -7762,6 +7762,13 @@ Perl_re_op_compile(pTHX_ SV ** const patternp, int pat_count,
		24
		25	/* We have that number in RExC_npar */
		26	RExC_total_parens = RExC_npar;
		27	+
		28	+ /* XXX For backporting, use long jumps if there is any possibility of
		29	+ * overflow */
		30	+ if (RExC_size > U16_MAX && ! RExC_use_BRANCHJ) {
		31	+ RExC_use_BRANCHJ = TRUE;
		32	+ flags \|= RESTART_PARSE;
		33	+ }
		34	}
		35	else if (! MUST_RESTART(flags)) {
		36	ReREFCNT_dec(Rx);


diff --git a/meta/recipes-devtools/perl/perl_5.30.1.bb b/meta/recipes-devtools/perl/perl_5.30.1.bb index 5f3a9eeeb3..47b2f9ca65 100644 --- a/meta/recipes-devtools/perl/perl_5.30.1.bb +++ b/meta/recipes-devtools/perl/perl_5.30.1.bb
@@ -24,6 +24,9 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
24	file://0001-PATCH-perl-134117-Close-DATA-in-loc_tools.pl.patch \	24	file://0001-PATCH-perl-134117-Close-DATA-in-loc_tools.pl.patch \
25	file://determinism.patch \	25	file://determinism.patch \
26	file://racefix.patch \	26	file://racefix.patch \
		27	file://CVE-2020-10543.patch \
		28	file://CVE-2020-10878_1.patch \
		29	file://CVE-2020-10878_2.patch \
27	"	30	"
28	SRC_URI_append_class-native = " \	31	SRC_URI_append_class-native = " \
29	file://perl-configpm-switch.patch \	32	file://perl-configpm-switch.patch \