perl: fix CVE-2023-31484/47038/47100

import patch from ubuntu http://archive.ubuntu.com/ubuntu/pool/main/p/perl/perl_5.30.0-9ubuntu0.5.debian.tar.xz fix: CVE-2023-31484 CVE-2023-47038 CVE-2023-47100 as per https://ubuntu.com/security/CVE-2023-47100 , CVE-2023-47100 is duplicate of CVE-2023-47038. perl import entire CPAN in single commit, hence backport fix from their upstream cpan instead. (From OE-Core rev: 74861848ba0d3ba920ef54f016240807ba42682a) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2023-12-14 20:32:51 +0800
committer: Steve Sakoman <steve@sakoman.com> 2023-12-21 05:17:55 -1000
commit: 8efd61ccb1964360444ed6eba9b88e20e2ee5953 (patch)
tree: b9ab47736fed46d0c79938044330d25405035514
parent: 43fa25ea6fd7c783aabdfe4cbc71b2eb3666b195 (diff)
download: poky-8efd61ccb1964360444ed6eba9b88e20e2ee5953.tar.gz
3 files changed, 150 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
new file mode 100644
index 0000000000..0fea7bf8a8
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
@@ -0,0 +1,27 @@
+CVE: CVE-2023-31484
+Upstream-Status: Backport [  import from Ubuntu  perl_5.30.0-9ubuntu0.5
+upstream  https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+From 9c98370287f4e709924aee7c58ef21c85289a7f0 Mon Sep 17 00:00:00 2001
+From: Stig Palmquist <git@stig.io>
+Date: Tue, 28 Feb 2023 11:54:06 +0100
+Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
+ identity
+---
+ lib/CPAN/HTTP/Client.pm | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+index 4fc792c26..a616fee20 100644
+--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
+@@ -32,6 +32,7 @@ sub mirror {
+ 
+     my $want_proxy = $self->_want_proxy($uri);
+     my $http = HTTP::Tiny->new(
+        verify_SSL => 1,
+         $want_proxy ? (proxy => $self->{proxy}) : ()
+     );
+ 
diff --git a/meta/recipes-devtools/perl/files/CVE-2023-47038.patch b/meta/recipes-devtools/perl/files/CVE-2023-47038.patch
new file mode 100644
index 0000000000..59252c560c
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-47038.patch
@@ -0,0 +1,121 @@
+as per https://ubuntu.com/security/CVE-2023-47100 , CVE-2023-47100 is duplicate of CVE-2023-47038
+CVE: CVE-2023-47038 CVE-2023-47100
+Upstream-Status: Backport [ import from ubuntu perl_5.30.0-9ubuntu0.5 
+upstream https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+Backport of:
+From 12c313ce49b36160a7ca2e9b07ad5bd92ee4a010 Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Sat, 9 Sep 2023 11:59:09 -0600
+Subject: [PATCH 1/2] Fix read/write past buffer end: perl-security#140
+A package name may be specified in a \p{...} regular expression
+construct.  If unspecified, "utf8::" is assumed, which is the package
+all official Unicode properties are in.  By specifying a different
+package, one can create a user-defined property with the same
+unqualified name as a Unicode one.  Such a property is defined by a sub
+whose name begins with "Is" or "In", and if the sub wishes to refer to
+an official Unicode property, it must explicitly specify the "utf8::".
+S_parse_uniprop_string() is used to parse the interior of both \p{} and
+the user-defined sub lines.
+In S_parse_uniprop_string(), it parses the input "name" parameter,
+creating a modified copy, "lookup_name", malloc'ed with the same size as
+"name".  The modifications are essentially to create a canonicalized
+version of the input, with such things as extraneous white-space
+stripped off.  I found it convenient to strip off the package specifier
+"utf8::".  To to so, the code simply pretends "lookup_name" begins just
+after the "utf8::", and adjusts various other values to compensate.
+However, it missed the adjustment of one required one.
+This is only a problem when the property name begins with "perl" and
+isn't "perlspace" nor "perlword".  All such ones are undocumented
+internal properties.
+What happens in this case is that the input is reparsed with slightly
+different rules in effect as to what is legal versus illegal.  The
+problem is that "lookup_name" no longer is pointing to its initial
+value, but "name" is.  Thus the space allocated for filling "lookup_name"
+is now shorter than "name", and as this shortened "lookup_name" is
+filled by copying suitable portions of "name", the write can be to
+unallocated space.
+The solution is to skip the "utf8::" when reparsing "name".  Then both
+"lookup_name" and "name" are effectively shortened by the same amount,
+and there is no going off the end.
+This commit also does white-space adjustment so that things align
+vertically for readability.
+This can be easily backported to earlier Perl releases.
+---
+ regcomp.c           | 17 +++++++++++------
+ t/re/pat_advanced.t |  8 ++++++++
+ 2 files changed, 19 insertions(+), 6 deletions(-)
+--- a/regcomp.c
+++ b/regcomp.c
+@@ -22606,7 +22606,7 @@ Perl_parse_uniprop_string(pTHX_
+      * compile perl to know about them) */
+     bool is_nv_type = FALSE;
+ 
+-    unsigned int i, j = 0;
+    unsigned int i = 0, i_zero = 0, j = 0;
+     int equals_pos = -1;    /* Where the '=' is found, or negative if none */
+     int slash_pos  = -1;    /* Where the '/' is found, or negative if none */
+     int table_index = 0;    /* The entry number for this property in the table
+@@ -22717,9 +22717,13 @@ Perl_parse_uniprop_string(pTHX_
+      * all of them are considered to be for that package.  For the purposes of
+      * parsing the rest of the property, strip it off */
+     if (non_pkg_begin == STRLENs("utf8::") && memBEGINPs(name, name_len, "utf8::")) {
+-        lookup_name +=  STRLENs("utf8::");
+-        j -=  STRLENs("utf8::");
+-        equals_pos -=  STRLENs("utf8::");
+        lookup_name += STRLENs("utf8::");
+        j           -= STRLENs("utf8::");
+        equals_pos  -= STRLENs("utf8::");
+        i_zero       = STRLENs("utf8::");   /* When resetting 'i' to reparse
+                                               from the beginning, it has to be
+                                               set past what we're stripping
+                                               off */
+     }
+ 
+     /* Here, we are either done with the whole property name, if it was simple;
+@@ -22997,7 +23001,8 @@ Perl_parse_uniprop_string(pTHX_
+ 
+             /* We set the inputs back to 0 and the code below will reparse,
+              * using strict */
+-            i = j = 0;
+            i = i_zero;
+            j = 0;
+         }
+     }
+ 
+@@ -23018,7 +23023,7 @@ Perl_parse_uniprop_string(pTHX_
+          * separates two digits */
+         if (cur == '_') {
+             if (    stricter
+-                && (     i == 0 || (int) i == equals_pos || i == name_len- 1
+                && (   i == i_zero || (int) i == equals_pos || i == name_len- 1
+                     || ! isDIGIT_A(name[i-1]) || ! isDIGIT_A(name[i+1])))
+             {
+                 lookup_name[j++] = '_';
+--- a/t/re/pat_advanced.t
+++ b/t/re/pat_advanced.t
+@@ -2524,6 +2524,14 @@ EOF
+                       "", {}, "*COMMIT caused positioning beyond EOS");
+     }
+ 
+    {   # perl-security#140, read/write past buffer end
+        fresh_perl_like('qr/\p{utf8::perl x}/',
+                        qr/Illegal user-defined property name "utf8::perl x" in regex/,
+                        {}, "perl-security#140");
+        fresh_perl_is('qr/\p{utf8::_perl_surrogate}/', "",
+                        {}, "perl-security#140");
+    }
+
+ 
+     # !!! NOTE that tests that aren't at all likely to crash perl should go
+     # a ways above, above these last ones.  There's a comment there that, like
diff --git a/meta/recipes-devtools/perl/perl_5.30.1.bb b/meta/recipes-devtools/perl/perl_5.30.1.bb
index 9bb94e7caa..4b5a4a5619 100644
--- a/meta/recipes-devtools/perl/perl_5.30.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.30.1.bb
@@ -29,6 +29,8 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
           file://CVE-2020-10878_1.patch \
           file://CVE-2020-10878_2.patch \
           file://CVE-2020-12723.patch \
+           file://CVE-2023-31484.patch \
+           file://CVE-2023-47038.patch \
           "
 SRC_URI_append_class-native = " \
           file://perl-configpm-switch.patch \
author	Lee Chee Yang <chee.yang.lee@intel.com>	2023-12-14 20:32:51 +0800
committer	Steve Sakoman <steve@sakoman.com>	2023-12-21 05:17:55 -1000
commit	8efd61ccb1964360444ed6eba9b88e20e2ee5953 (patch)
tree	b9ab47736fed46d0c79938044330d25405035514
parent	43fa25ea6fd7c783aabdfe4cbc71b2eb3666b195 (diff)
download	poky-8efd61ccb1964360444ed6eba9b88e20e2ee5953.tar.gz

diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch new file mode 100644 index 0000000000..0fea7bf8a8 --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch
@@ -0,0 +1,27 @@
		1	CVE: CVE-2023-31484
		2	Upstream-Status: Backport [ import from Ubuntu perl_5.30.0-9ubuntu0.5
		3	upstream https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 ]
		4	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		5
		6	From 9c98370287f4e709924aee7c58ef21c85289a7f0 Mon Sep 17 00:00:00 2001
		7	From: Stig Palmquist <git@stig.io>
		8	Date: Tue, 28 Feb 2023 11:54:06 +0100
		9	Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server
		10	identity
		11
		12	---
		13	lib/CPAN/HTTP/Client.pm \| 1 +
		14	1 file changed, 1 insertion(+)
		15
		16	diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
		17	index 4fc792c26..a616fee20 100644
		18	--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm
		19	+++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm
		20	@@ -32,6 +32,7 @@ sub mirror {
		21
		22	my $want_proxy = $self->_want_proxy($uri);
		23	my $http = HTTP::Tiny->new(
		24	+ verify_SSL => 1,
		25	$want_proxy ? (proxy => $self->{proxy}) : ()
		26	);
		27


diff --git a/meta/recipes-devtools/perl/files/CVE-2023-47038.patch b/meta/recipes-devtools/perl/files/CVE-2023-47038.patch new file mode 100644 index 0000000000..59252c560c --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2023-47038.patch
@@ -0,0 +1,121 @@
		1	as per https://ubuntu.com/security/CVE-2023-47100 , CVE-2023-47100 is duplicate of CVE-2023-47038
		2	CVE: CVE-2023-47038 CVE-2023-47100
		3	Upstream-Status: Backport [ import from ubuntu perl_5.30.0-9ubuntu0.5
		4	upstream https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010 ]
		5	Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
		6
		7	Backport of:
		8
		9	From 12c313ce49b36160a7ca2e9b07ad5bd92ee4a010 Mon Sep 17 00:00:00 2001
		10	From: Karl Williamson <khw@cpan.org>
		11	Date: Sat, 9 Sep 2023 11:59:09 -0600
		12	Subject: [PATCH 1/2] Fix read/write past buffer end: perl-security#140
		13
		14	A package name may be specified in a \p{...} regular expression
		15	construct. If unspecified, "utf8::" is assumed, which is the package
		16	all official Unicode properties are in. By specifying a different
		17	package, one can create a user-defined property with the same
		18	unqualified name as a Unicode one. Such a property is defined by a sub
		19	whose name begins with "Is" or "In", and if the sub wishes to refer to
		20	an official Unicode property, it must explicitly specify the "utf8::".
		21	S_parse_uniprop_string() is used to parse the interior of both \p{} and
		22	the user-defined sub lines.
		23
		24	In S_parse_uniprop_string(), it parses the input "name" parameter,
		25	creating a modified copy, "lookup_name", malloc'ed with the same size as
		26	"name". The modifications are essentially to create a canonicalized
		27	version of the input, with such things as extraneous white-space
		28	stripped off. I found it convenient to strip off the package specifier
		29	"utf8::". To to so, the code simply pretends "lookup_name" begins just
		30	after the "utf8::", and adjusts various other values to compensate.
		31	However, it missed the adjustment of one required one.
		32
		33	This is only a problem when the property name begins with "perl" and
		34	isn't "perlspace" nor "perlword". All such ones are undocumented
		35	internal properties.
		36
		37	What happens in this case is that the input is reparsed with slightly
		38	different rules in effect as to what is legal versus illegal. The
		39	problem is that "lookup_name" no longer is pointing to its initial
		40	value, but "name" is. Thus the space allocated for filling "lookup_name"
		41	is now shorter than "name", and as this shortened "lookup_name" is
		42	filled by copying suitable portions of "name", the write can be to
		43	unallocated space.
		44
		45	The solution is to skip the "utf8::" when reparsing "name". Then both
		46	"lookup_name" and "name" are effectively shortened by the same amount,
		47	and there is no going off the end.
		48
		49	This commit also does white-space adjustment so that things align
		50	vertically for readability.
		51
		52	This can be easily backported to earlier Perl releases.
		53	---
		54	regcomp.c \| 17 +++++++++++------
		55	t/re/pat_advanced.t \| 8 ++++++++
		56	2 files changed, 19 insertions(+), 6 deletions(-)
		57
		58	--- a/regcomp.c
		59	+++ b/regcomp.c
		60	@@ -22606,7 +22606,7 @@ Perl_parse_uniprop_string(pTHX_
		61	* compile perl to know about them) */
		62	bool is_nv_type = FALSE;
		63
		64	- unsigned int i, j = 0;
		65	+ unsigned int i = 0, i_zero = 0, j = 0;
		66	int equals_pos = -1; /* Where the '=' is found, or negative if none */
		67	int slash_pos = -1; /* Where the '/' is found, or negative if none */
		68	int table_index = 0; /* The entry number for this property in the table
		69	@@ -22717,9 +22717,13 @@ Perl_parse_uniprop_string(pTHX_
		70	* all of them are considered to be for that package. For the purposes of
		71	* parsing the rest of the property, strip it off */
		72	if (non_pkg_begin == STRLENs("utf8::") && memBEGINPs(name, name_len, "utf8::")) {
		73	- lookup_name += STRLENs("utf8::");
		74	- j -= STRLENs("utf8::");
		75	- equals_pos -= STRLENs("utf8::");
		76	+ lookup_name += STRLENs("utf8::");
		77	+ j -= STRLENs("utf8::");
		78	+ equals_pos -= STRLENs("utf8::");
		79	+ i_zero = STRLENs("utf8::"); /* When resetting 'i' to reparse
		80	+ from the beginning, it has to be
		81	+ set past what we're stripping
		82	+ off */
		83	}
		84
		85	/* Here, we are either done with the whole property name, if it was simple;
		86	@@ -22997,7 +23001,8 @@ Perl_parse_uniprop_string(pTHX_
		87
		88	/* We set the inputs back to 0 and the code below will reparse,
		89	* using strict */
		90	- i = j = 0;
		91	+ i = i_zero;
		92	+ j = 0;
		93	}
		94	}
		95
		96	@@ -23018,7 +23023,7 @@ Perl_parse_uniprop_string(pTHX_
		97	* separates two digits */
		98	if (cur == '_') {
		99	if ( stricter
		100	- && ( i == 0 \|\| (int) i == equals_pos \|\| i == name_len- 1
		101	+ && ( i == i_zero \|\| (int) i == equals_pos \|\| i == name_len- 1
		102	\|\| ! isDIGIT_A(name[i-1]) \|\| ! isDIGIT_A(name[i+1])))
		103	{
		104	lookup_name[j++] = '_';
		105	--- a/t/re/pat_advanced.t
		106	+++ b/t/re/pat_advanced.t
		107	@@ -2524,6 +2524,14 @@ EOF
		108	"", {}, "*COMMIT caused positioning beyond EOS");
		109	}
		110
		111	+ { # perl-security#140, read/write past buffer end
		112	+ fresh_perl_like('qr/\p{utf8::perl x}/',
		113	+ qr/Illegal user-defined property name "utf8::perl x" in regex/,
		114	+ {}, "perl-security#140");
		115	+ fresh_perl_is('qr/\p{utf8::_perl_surrogate}/', "",
		116	+ {}, "perl-security#140");
		117	+ }
		118	+
		119
		120	# !!! NOTE that tests that aren't at all likely to crash perl should go
		121	# a ways above, above these last ones. There's a comment there that, like


diff --git a/meta/recipes-devtools/perl/perl_5.30.1.bb b/meta/recipes-devtools/perl/perl_5.30.1.bb index 9bb94e7caa..4b5a4a5619 100644 --- a/meta/recipes-devtools/perl/perl_5.30.1.bb +++ b/meta/recipes-devtools/perl/perl_5.30.1.bb
@@ -29,6 +29,8 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
29	file://CVE-2020-10878_1.patch \	29	file://CVE-2020-10878_1.patch \
30	file://CVE-2020-10878_2.patch \	30	file://CVE-2020-10878_2.patch \
31	file://CVE-2020-12723.patch \	31	file://CVE-2020-12723.patch \
		32	file://CVE-2023-31484.patch \
		33	file://CVE-2023-47038.patch \
32	"	34	"
33	SRC_URI_append_class-native = " \	35	SRC_URI_append_class-native = " \
34	file://perl-configpm-switch.patch \	36	file://perl-configpm-switch.patch \