diff options
Diffstat (limited to 'meta/recipes-devtools/perl/perl-5.14.2/perl-fix-CVE-2012-5195.patch')
-rw-r--r-- | meta/recipes-devtools/perl/perl-5.14.2/perl-fix-CVE-2012-5195.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl-5.14.2/perl-fix-CVE-2012-5195.patch b/meta/recipes-devtools/perl/perl-5.14.2/perl-fix-CVE-2012-5195.patch new file mode 100644 index 0000000000..da96f9c494 --- /dev/null +++ b/meta/recipes-devtools/perl/perl-5.14.2/perl-fix-CVE-2012-5195.patch | |||
@@ -0,0 +1,41 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | This patch is from perl mainline: | ||
4 | http://perl5.git.perl.org/perl.git/commit/b675304e3fdbcce3ef853b06b6ebe870d99faa7e | ||
5 | |||
6 | Signed-off-by: Kang Kai <kai.kang@windriver.com> | ||
7 | |||
8 | --- | ||
9 | From b675304e3fdbcce3ef853b06b6ebe870d99faa7e Mon Sep 17 00:00:00 2001 | ||
10 | From: Andy Dougherty <doughera@lafayette.edu> | ||
11 | Date: Thu, 27 Sep 2012 09:52:18 -0400 | ||
12 | Subject: [PATCH] avoid calling memset with a negative count | ||
13 | |||
14 | Poorly written perl code that allows an attacker to specify the count to | ||
15 | perl's 'x' string repeat operator can already cause a memory exhaustion | ||
16 | denial-of-service attack. A flaw in versions of perl before 5.15.5 can | ||
17 | escalate that into a heap buffer overrun; coupled with versions of glibc | ||
18 | before 2.16, it possibly allows the execution of arbitrary code. | ||
19 | |||
20 | The flaw addressed to this commit has been assigned identifier | ||
21 | CVE-2012-5195. | ||
22 | --- | ||
23 | util.c | 3 +++ | ||
24 | 1 files changed, 3 insertions(+), 0 deletions(-) | ||
25 | |||
26 | diff --git a/util.c b/util.c | ||
27 | index 0ea39c6..230211e 100644 | ||
28 | --- a/util.c | ||
29 | +++ b/util.c | ||
30 | @@ -3319,6 +3319,9 @@ Perl_repeatcpy(register char *to, register const char *from, I32 len, register I | ||
31 | { | ||
32 | PERL_ARGS_ASSERT_REPEATCPY; | ||
33 | |||
34 | + if (count < 0) | ||
35 | + Perl_croak_nocontext("%s",PL_memory_wrap); | ||
36 | + | ||
37 | if (len == 1) | ||
38 | memset(to, *from, count); | ||
39 | else if (count) { | ||
40 | -- | ||
41 | 1.7.4.1 | ||