1 files changed, 183 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch b/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch
new file mode 100644
index 0000000000..ba8cf151fd
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch
@@ -0,0 +1,183 @@
+From 4706b65d7c835c0bb219db160fbcdbcd98efab2d Mon Sep 17 00:00:00 2001
+From: David Mitchell <davem@iabyn.com>
+Date: Fri, 29 Jun 2018 13:37:03 +0100
+Subject: [PATCH] Perl_my_setenv(); handle integer wrap
+RT #133204
+Wean this function off int/I32 and onto UV/Size_t.
+Also, replace all malloc-ish calls with a wrapper that does
+overflow checks,
+In particular, it was doing (nlen + vlen + 2) which could wrap when
+the combined length of the environment variable name and value
+exceeded around 0x7fffffff.
+The wrapper check function is probably overkill, but belt and braces...
+NB this function has several variant parts, #ifdef'ed by platform
+type; I have blindly changed the parts that aren't compiled under linux.
+(cherry picked from commit 34716e2a6ee2af96078d62b065b7785c001194be)
+CVE: CVE-2018-18311
+Upstream-Status: Backport
+[https://perl5.git.perl.org/perl.git/commit/5737d31aac51360cc1eb412ef059e36147c9d6d6]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ util.c | 76 ++++++++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 53 insertions(+), 23 deletions(-)
+diff --git a/util.c b/util.c
+index 7c3d271f51..27f4eddf3b 100644
+--- a/util.c
+++ b/util.c
+@@ -2160,8 +2160,40 @@ Perl_new_warnings_bitfield(pTHX_ STRLEN *buffer, const char *const bits,
+    *(s+(nlen+1+vlen)) = '\0'
+ 
+ #ifdef USE_ENVIRON_ARRAY
+-       /* VMS' my_setenv() is in vms.c */
+
+/* small wrapper for use by Perl_my_setenv that mallocs, or reallocs if
+ * 'current' is non-null, with up to three sizes that are added together.
+ * It handles integer overflow.
+ */
+static char *
+S_env_alloc(void *current, Size_t l1, Size_t l2, Size_t l3, Size_t size)
+{
+    void *p;
+    Size_t sl, l = l1 + l2;
+
+    if (l < l2)
+        goto panic;
+    l += l3;
+    if (l < l3)
+        goto panic;
+    sl = l * size;
+    if (sl < l)
+        goto panic;
+
+    p = current
+            ? safesysrealloc(current, sl)
+            : safesysmalloc(sl);
+    if (p)
+        return (char*)p;
+
+  panic:
+    croak_memory_wrap();
+}
+
+
+/* VMS' my_setenv() is in vms.c */
+ #if !defined(WIN32) && !defined(NETWARE)
+
+ void
+ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ {
+@@ -2177,28 +2209,27 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ #ifndef PERL_USE_SAFE_PUTENV
+     if (!PL_use_safe_putenv) {
+         /* most putenv()s leak, so we manipulate environ directly */
+-        I32 i;
+-        const I32 len = strlen(nam);
+-        int nlen, vlen;
+        UV i;
+        Size_t vlen, nlen = strlen(nam);
+ 
+         /* where does it go? */
+         for (i = 0; environ[i]; i++) {
+-            if (strnEQ(environ[i],nam,len) && environ[i][len] == '=')
+            if (strnEQ(environ[i], nam, nlen) && environ[i][nlen] == '=')
+                 break;
+         }
+ 
+         if (environ == PL_origenviron) {   /* need we copy environment? */
+-            I32 j;
+-            I32 max;
+            UV j, max;
+             char **tmpenv;
+ 
+             max = i;
+             while (environ[max])
+                 max++;
+-            tmpenv = (char**)safesysmalloc((max+2) * sizeof(char*));
+            /* XXX shouldn't that be max+1 rather than max+2 ??? - DAPM */
+            tmpenv = (char**)S_env_alloc(NULL, max, 2, 0, sizeof(char*));
+             for (j=0; j<max; j++) {         /* copy environment */
+-                const int len = strlen(environ[j]);
+-                tmpenv[j] = (char*)safesysmalloc((len+1)*sizeof(char));
+                const Size_t len = strlen(environ[j]);
+                tmpenv[j] = S_env_alloc(NULL, len, 1, 0, 1);
+                 Copy(environ[j], tmpenv[j], len+1, char);
+             }
+             tmpenv[max] = NULL;
+@@ -2217,15 +2248,15 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ #endif
+         }
+         if (!environ[i]) {                 /* does not exist yet */
+-            environ = (char**)safesysrealloc(environ, (i+2) * sizeof(char*));
+            environ = (char**)S_env_alloc(environ, i, 2, 0, sizeof(char*));
+             environ[i+1] = NULL;    /* make sure it's null terminated */
+         }
+         else
+             safesysfree(environ[i]);
+-        nlen = strlen(nam);
+
+         vlen = strlen(val);
+ 
+-        environ[i] = (char*)safesysmalloc((nlen+vlen+2) * sizeof(char));
+        environ[i] = S_env_alloc(NULL, nlen, vlen, 2, 1);
+         /* all that work just for this */
+         my_setenv_format(environ[i], nam, nlen, val, vlen);
+     } else {
+@@ -2250,22 +2281,21 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+             if (environ) /* old glibc can crash with null environ */
+                 (void)unsetenv(nam);
+         } else {
+-           const int nlen = strlen(nam);
+-           const int vlen = strlen(val);
+-           char * const new_env =
+-                (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char));
+           const Size_t nlen = strlen(nam);
+           const Size_t vlen = strlen(val);
+           char * const new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
+             my_setenv_format(new_env, nam, nlen, val, vlen);
+             (void)putenv(new_env);
+         }
+ #       else /* ! HAS_UNSETENV */
+         char *new_env;
+-       const int nlen = strlen(nam);
+-       int vlen;
+       const Size_t nlen = strlen(nam);
+       Size_t vlen;
+         if (!val) {
+           val = "";
+         }
+         vlen = strlen(val);
+-        new_env = (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char));
+        new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
+         /* all that work just for this */
+         my_setenv_format(new_env, nam, nlen, val, vlen);
+         (void)putenv(new_env);
+@@ -2288,14 +2318,14 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ {
+     dVAR;
+     char *envstr;
+-    const int nlen = strlen(nam);
+-    int vlen;
+    const Size_t nlen = strlen(nam);
+    Size_t vlen;
+ 
+     if (!val) {
+        val = "";
+     }
+     vlen = strlen(val);
+-    Newx(envstr, nlen+vlen+2, char);
+    envstr = S_env_alloc(NULL, nlen, vlen, 2, 1);
+     my_setenv_format(envstr, nam, nlen, val, vlen);
+     (void)PerlEnv_putenv(envstr);
+     Safefree(envstr);
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8

diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch b/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch new file mode 100644 index 0000000000..ba8cf151fd --- /dev/null +++ b/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch
@@ -0,0 +1,183 @@
	1	From 4706b65d7c835c0bb219db160fbcdbcd98efab2d Mon Sep 17 00:00:00 2001
	2	From: David Mitchell <davem@iabyn.com>
	3	Date: Fri, 29 Jun 2018 13:37:03 +0100
	4	Subject: [PATCH] Perl_my_setenv(); handle integer wrap
	5
	6	RT #133204
	7
	8	Wean this function off int/I32 and onto UV/Size_t.
	9	Also, replace all malloc-ish calls with a wrapper that does
	10	overflow checks,
	11
	12	In particular, it was doing (nlen + vlen + 2) which could wrap when
	13	the combined length of the environment variable name and value
	14	exceeded around 0x7fffffff.
	15
	16	The wrapper check function is probably overkill, but belt and braces...
	17
	18	NB this function has several variant parts, #ifdef'ed by platform
	19	type; I have blindly changed the parts that aren't compiled under linux.
	20
	21	(cherry picked from commit 34716e2a6ee2af96078d62b065b7785c001194be)
	22
	23	CVE: CVE-2018-18311
	24	Upstream-Status: Backport
	25	[https://perl5.git.perl.org/perl.git/commit/5737d31aac51360cc1eb412ef059e36147c9d6d6]
	26
	27	Signed-off-by: Dan Tran <dantran@microsoft.com>
	28	---
	29	util.c \| 76 ++++++++++++++++++++++++++++++++++++++++------------------
	30	1 file changed, 53 insertions(+), 23 deletions(-)
	31
	32	diff --git a/util.c b/util.c
	33	index 7c3d271f51..27f4eddf3b 100644
	34	--- a/util.c
	35	+++ b/util.c
	36	@@ -2160,8 +2160,40 @@ Perl_new_warnings_bitfield(pTHX_ STRLEN buffer, const char const bits,
	37	*(s+(nlen+1+vlen)) = '\0'
	38
	39	#ifdef USE_ENVIRON_ARRAY
	40	- /* VMS' my_setenv() is in vms.c */
	41	+
	42	+/* small wrapper for use by Perl_my_setenv that mallocs, or reallocs if
	43	+ * 'current' is non-null, with up to three sizes that are added together.
	44	+ * It handles integer overflow.
	45	+ */
	46	+static char *
	47	+S_env_alloc(void *current, Size_t l1, Size_t l2, Size_t l3, Size_t size)
	48	+{
	49	+ void *p;
	50	+ Size_t sl, l = l1 + l2;
	51	+
	52	+ if (l < l2)
	53	+ goto panic;
	54	+ l += l3;
	55	+ if (l < l3)
	56	+ goto panic;
	57	+ sl = l * size;
	58	+ if (sl < l)
	59	+ goto panic;
	60	+
	61	+ p = current
	62	+ ? safesysrealloc(current, sl)
	63	+ : safesysmalloc(sl);
	64	+ if (p)
	65	+ return (char*)p;
	66	+
	67	+ panic:
	68	+ croak_memory_wrap();
	69	+}
	70	+
	71	+
	72	+/* VMS' my_setenv() is in vms.c */
	73	#if !defined(WIN32) && !defined(NETWARE)
	74	+
	75	void
	76	Perl_my_setenv(pTHX_ const char nam, const char val)
	77	{
	78	@@ -2177,28 +2209,27 @@ Perl_my_setenv(pTHX_ const char nam, const char val)
	79	#ifndef PERL_USE_SAFE_PUTENV
	80	if (!PL_use_safe_putenv) {
	81	/* most putenv()s leak, so we manipulate environ directly */
	82	- I32 i;
	83	- const I32 len = strlen(nam);
	84	- int nlen, vlen;
	85	+ UV i;
	86	+ Size_t vlen, nlen = strlen(nam);
	87
	88	/* where does it go? */
	89	for (i = 0; environ[i]; i++) {
	90	- if (strnEQ(environ[i],nam,len) && environ[i][len] == '=')
	91	+ if (strnEQ(environ[i], nam, nlen) && environ[i][nlen] == '=')
	92	break;
	93	}
	94
	95	if (environ == PL_origenviron) { /* need we copy environment? */
	96	- I32 j;
	97	- I32 max;
	98	+ UV j, max;
	99	char **tmpenv;
	100
	101	max = i;
	102	while (environ[max])
	103	max++;
	104	- tmpenv = (char*)safesysmalloc((max+2) sizeof(char*));
	105	+ /* XXX shouldn't that be max+1 rather than max+2 ??? - DAPM */
	106	+ tmpenv = (char*)S_env_alloc(NULL, max, 2, 0, sizeof(char));
	107	for (j=0; j<max; j++) { /* copy environment */
	108	- const int len = strlen(environ[j]);
	109	- tmpenv[j] = (char)safesysmalloc((len+1)sizeof(char));
	110	+ const Size_t len = strlen(environ[j]);
	111	+ tmpenv[j] = S_env_alloc(NULL, len, 1, 0, 1);
	112	Copy(environ[j], tmpenv[j], len+1, char);
	113	}
	114	tmpenv[max] = NULL;
	115	@@ -2217,15 +2248,15 @@ Perl_my_setenv(pTHX_ const char nam, const char val)
	116	#endif
	117	}
	118	if (!environ[i]) { /* does not exist yet */
	119	- environ = (char*)safesysrealloc(environ, (i+2) sizeof(char*));
	120	+ environ = (char*)S_env_alloc(environ, i, 2, 0, sizeof(char));
	121	environ[i+1] = NULL; /* make sure it's null terminated */
	122	}
	123	else
	124	safesysfree(environ[i]);
	125	- nlen = strlen(nam);
	126	+
	127	vlen = strlen(val);
	128
	129	- environ[i] = (char)safesysmalloc((nlen+vlen+2) sizeof(char));
	130	+ environ[i] = S_env_alloc(NULL, nlen, vlen, 2, 1);
	131	/* all that work just for this */
	132	my_setenv_format(environ[i], nam, nlen, val, vlen);
	133	} else {
	134	@@ -2250,22 +2281,21 @@ Perl_my_setenv(pTHX_ const char nam, const char val)
	135	if (environ) /* old glibc can crash with null environ */
	136	(void)unsetenv(nam);
	137	} else {
	138	- const int nlen = strlen(nam);
	139	- const int vlen = strlen(val);
	140	- char * const new_env =
	141	- (char)safesysmalloc((nlen + vlen + 2) sizeof(char));
	142	+ const Size_t nlen = strlen(nam);
	143	+ const Size_t vlen = strlen(val);
	144	+ char * const new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
	145	my_setenv_format(new_env, nam, nlen, val, vlen);
	146	(void)putenv(new_env);
	147	}
	148	# else /* ! HAS_UNSETENV */
	149	char *new_env;
	150	- const int nlen = strlen(nam);
	151	- int vlen;
	152	+ const Size_t nlen = strlen(nam);
	153	+ Size_t vlen;
	154	if (!val) {
	155	val = "";
	156	}
	157	vlen = strlen(val);
	158	- new_env = (char)safesysmalloc((nlen + vlen + 2) sizeof(char));
	159	+ new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
	160	/* all that work just for this */
	161	my_setenv_format(new_env, nam, nlen, val, vlen);
	162	(void)putenv(new_env);
	163	@@ -2288,14 +2318,14 @@ Perl_my_setenv(pTHX_ const char nam, const char val)
	164	{
	165	dVAR;
	166	char *envstr;
	167	- const int nlen = strlen(nam);
	168	- int vlen;
	169	+ const Size_t nlen = strlen(nam);
	170	+ Size_t vlen;
	171
	172	if (!val) {
	173	val = "";
	174	}
	175	vlen = strlen(val);
	176	- Newx(envstr, nlen+vlen+2, char);
	177	+ envstr = S_env_alloc(NULL, nlen, vlen, 2, 1);
	178	my_setenv_format(envstr, nam, nlen, val, vlen);
	179	(void)PerlEnv_putenv(envstr);
	180	Safefree(envstr);
	181	--
	182	2.22.0.vfs.1.1.57.gbaf16c8
	183