perl: fix for CVE-2010-4777

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (assertion failure and application exit) via crafted input that is not properly handled when using certain regular expressions, as demonstrated by causing SpamAssassin and OCSInventory to crash. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4777 (From OE-Core rev: 368df9f13ddf124e6aaaec06c02ab698c9e0b6c3) (From OE-Core rev: 73aff6efb3374427234a3615ffca07874f22f3fa) Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: yanjun.zhu <yanjun.zhu@windriver.com> 2014-05-20 09:27:47 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-10-10 15:06:06 +0100
commit: 57138de0fc1730c8e14d19b784f1f0573fb03080 (patch)
tree: 40b8673bb300a58b26253d3d20031eec07b1f8ec /meta
parent: 57a806cc32051ce0d749ba013f55f300d981dc75 (diff)
download: poky-57138de0fc1730c8e14d19b784f1f0573fb03080.tar.gz
3 files changed, 49 insertions, 2 deletions
diff --git a/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
new file mode 100644
index 0000000000..e0dcf412bb
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
@@ -0,0 +1,45 @@
+perl:fix for CVE-2010-4777
+Upstream-Status: Backport
+    
+The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0,
+5.14.0, and other versions, when running with debugging enabled,
+allows context-dependent attackers to cause a denial of service
+(assertion failure and application exit) via crafted input that
+is not properly handled when using certain regular expressions,
+as demonstrated by causing SpamAssassin and OCSInventory to
+crash.
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4777
+Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
+--- a/regcomp.c
+++ b/regcomp.c
+@@ -11868,8 +11868,25 @@ Perl_save_re_context(pTHX)
+ 
+                if (gvp) {
+                    GV * const gv = *gvp;
+-                   if (SvTYPE(gv) == SVt_PVGV && GvSV(gv))
+-                       save_scalar(gv);
+                   if (SvTYPE(gv) == SVt_PVGV && GvSV(gv)) {
+                       /* this is a copy of save_scalar() without the GETMAGIC call, RT#76538 */
+                       SV ** const sptr = &GvSVn(gv);
+                       SV * osv = *sptr;
+                       SV * nsv = newSV(0);
+                       save_pushptrptr(SvREFCNT_inc_simple(gv),
+                       SvREFCNT_inc(osv), SAVEt_SV);
+                       if (SvTYPE(osv) >= SVt_PVMG && SvMAGIC(osv) &&
+                           SvTYPE(osv) != SVt_PVGV) {
+                           if (SvGMAGICAL(osv)) {
+                               const bool oldtainted = PL_tainted;
+                               SvFLAGS(osv) |= (SvFLAGS(osv) &
+                                   (SVp_IOK|SVp_NOK|SVp_POK)) >> PRIVSHIFT;
+                               PL_tainted = oldtainted;
+                           }
+                           mg_localize(osv, nsv, 1);
+                       }
+                       *sptr = nsv;
+                   }
+                }
+            }
+        }
diff --git a/meta/recipes-devtools/perl/perl-native_5.14.3.bb b/meta/recipes-devtools/perl/perl-native_5.14.3.bb
index 2ef0a5135c..c38be41d49 100644
--- a/meta/recipes-devtools/perl/perl-native_5.14.3.bb
+++ b/meta/recipes-devtools/perl/perl-native_5.14.3.bb
@@ -17,7 +17,8 @@ SRC_URI = "http://www.cpan.org/src/5.0/perl-${PV}.tar.gz \
           file://MM_Unix.pm.patch \
           file://debian/errno_ver.diff \
           file://dynaloaderhack.patch \
-           file://perl-build-in-t-dir.patch"
+           file://perl-build-in-t-dir.patch \
+           file://perl-5.14.3-fix-CVE-2010-4777.patch "
 SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"
 SRC_URI[sha256sum] = "03638a4f01bc26b81231233671524b4163849a3a9ea5cc2397293080c4ea339f"
diff --git a/meta/recipes-devtools/perl/perl_5.14.3.bb b/meta/recipes-devtools/perl/perl_5.14.3.bb
index 09a3f3b531..6816382345 100644
--- a/meta/recipes-devtools/perl/perl_5.14.3.bb
+++ b/meta/recipes-devtools/perl/perl_5.14.3.bb
@@ -74,7 +74,8 @@ SRC_URI = "http://www.cpan.org/src/5.0/perl-${PV}.tar.gz \
        file://config.sh-32-be \
        file://config.sh-64 \
        file://config.sh-64-le \
-        file://config.sh-64-be"
+        file://config.sh-64-be \
+        file://perl-5.14.3-fix-CVE-2010-4777.patch "
 #       file://debian/fakeroot.diff
 SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"
author	yanjun.zhu <yanjun.zhu@windriver.com>	2014-05-20 09:27:47 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-10-10 15:06:06 +0100
commit	57138de0fc1730c8e14d19b784f1f0573fb03080 (patch)
tree	40b8673bb300a58b26253d3d20031eec07b1f8ec /meta
parent	57a806cc32051ce0d749ba013f55f300d981dc75 (diff)
download	poky-57138de0fc1730c8e14d19b784f1f0573fb03080.tar.gz

diff --git a/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch new file mode 100644 index 0000000000..e0dcf412bb --- /dev/null +++ b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
@@ -0,0 +1,45 @@
		1	perl:fix for CVE-2010-4777
		2
		3	Upstream-Status: Backport
		4
		5	The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0,
		6	5.14.0, and other versions, when running with debugging enabled,
		7	allows context-dependent attackers to cause a denial of service
		8	(assertion failure and application exit) via crafted input that
		9	is not properly handled when using certain regular expressions,
		10	as demonstrated by causing SpamAssassin and OCSInventory to
		11	crash.
		12
		13	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4777
		14
		15	Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
		16	--- a/regcomp.c
		17	+++ b/regcomp.c
		18	@@ -11868,8 +11868,25 @@ Perl_save_re_context(pTHX)
		19
		20	if (gvp) {
		21	GV * const gv = *gvp;
		22	- if (SvTYPE(gv) == SVt_PVGV && GvSV(gv))
		23	- save_scalar(gv);
		24	+ if (SvTYPE(gv) == SVt_PVGV && GvSV(gv)) {
		25	+ /* this is a copy of save_scalar() without the GETMAGIC call, RT#76538 */
		26	+ SV ** const sptr = &GvSVn(gv);
		27	+ SV * osv = *sptr;
		28	+ SV * nsv = newSV(0);
		29	+ save_pushptrptr(SvREFCNT_inc_simple(gv),
		30	+ SvREFCNT_inc(osv), SAVEt_SV);
		31	+ if (SvTYPE(osv) >= SVt_PVMG && SvMAGIC(osv) &&
		32	+ SvTYPE(osv) != SVt_PVGV) {
		33	+ if (SvGMAGICAL(osv)) {
		34	+ const bool oldtainted = PL_tainted;
		35	+ SvFLAGS(osv) \|= (SvFLAGS(osv) &
		36	+ (SVp_IOK\|SVp_NOK\|SVp_POK)) >> PRIVSHIFT;
		37	+ PL_tainted = oldtainted;
		38	+ }
		39	+ mg_localize(osv, nsv, 1);
		40	+ }
		41	+ *sptr = nsv;
		42	+ }
		43	}
		44	}
		45	}


diff --git a/meta/recipes-devtools/perl/perl-native_5.14.3.bb b/meta/recipes-devtools/perl/perl-native_5.14.3.bb index 2ef0a5135c..c38be41d49 100644 --- a/meta/recipes-devtools/perl/perl-native_5.14.3.bb +++ b/meta/recipes-devtools/perl/perl-native_5.14.3.bb
@@ -17,7 +17,8 @@ SRC_URI = "http://www.cpan.org/src/5.0/perl-${PV}.tar.gz \
17	file://MM_Unix.pm.patch \	17	file://MM_Unix.pm.patch \
18	file://debian/errno_ver.diff \	18	file://debian/errno_ver.diff \
19	file://dynaloaderhack.patch \	19	file://dynaloaderhack.patch \
20	file://perl-build-in-t-dir.patch"	20	file://perl-build-in-t-dir.patch \
		21	file://perl-5.14.3-fix-CVE-2010-4777.patch "
21		22
22	SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"	23	SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"
23	SRC_URI[sha256sum] = "03638a4f01bc26b81231233671524b4163849a3a9ea5cc2397293080c4ea339f"	24	SRC_URI[sha256sum] = "03638a4f01bc26b81231233671524b4163849a3a9ea5cc2397293080c4ea339f"


diff --git a/meta/recipes-devtools/perl/perl_5.14.3.bb b/meta/recipes-devtools/perl/perl_5.14.3.bb index 09a3f3b531..6816382345 100644 --- a/meta/recipes-devtools/perl/perl_5.14.3.bb +++ b/meta/recipes-devtools/perl/perl_5.14.3.bb
@@ -74,7 +74,8 @@ SRC_URI = "http://www.cpan.org/src/5.0/perl-${PV}.tar.gz \
74	file://config.sh-32-be \	74	file://config.sh-32-be \
75	file://config.sh-64 \	75	file://config.sh-64 \
76	file://config.sh-64-le \	76	file://config.sh-64-le \
77	file://config.sh-64-be"	77	file://config.sh-64-be \
		78	file://perl-5.14.3-fix-CVE-2010-4777.patch "
78	# file://debian/fakeroot.diff	79	# file://debian/fakeroot.diff
79		80
80	SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"	81	SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"