2 files changed, 114 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch
new file mode 100644
index 0000000000..0033ae0f63
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch
@@ -0,0 +1,113 @@
+Upstream-Status: Backport
+Backport patch to fix CVE-2016-2381 from
+http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From: Tony Cook <tony@develop-help.com>
+Date: Wed, 27 Jan 2016 00:52:15 +0000 (+1100)
+Subject: remove duplicate environment variables from environ
+X-Git-Tag: v5.23.9~170
+X-Git-Url: http://perl5.git.perl.org/perl.git/commitdiff_plain/ae37b791a73a9e78dedb89fb2429d2628cf58076
+remove duplicate environment variables from environ
+If we see duplicate environment variables while iterating over
+environ[]:
+a) make sure we use the same value in %ENV that getenv() returns.
+Previously on a duplicate, %ENV would have the last entry for the name
+from environ[], but a typical getenv() would return the first entry.
+Rather than assuming all getenv() implementations return the first entry
+explicitly call getenv() to ensure they agree.
+b) remove duplicate entries from environ
+Previously if there was a duplicate definition for a name in environ[]
+setting that name in %ENV could result in an unsafe value being passed
+to a child process, so ensure environ[] has no duplicates.
+CVE-2016-2381
+---
+diff --git a/perl.c b/perl.c
+index 4a324c6..5c71fd0 100644
+--- a/perl.c
+++ b/perl.c
+@@ -4329,23 +4329,70 @@ S_init_postdump_symbols(pTHX_ int argc, char **argv, char **env)
+        }
+        if (env) {
+          char *s, *old_var;
+          STRLEN nlen;
+          SV *sv;
+          HV *dups = newHV();
+
+          for (; *env; env++) {
+            old_var = *env;
+ 
+            if (!(s = strchr(old_var,'=')) || s == old_var)
+                continue;
+            nlen = s - old_var;
+ 
+ #if defined(MSDOS) && !defined(DJGPP)
+            *s = '\0';
+            (void)strupr(old_var);
+            *s = '=';
+ #endif
+-           sv = newSVpv(s+1, 0);
+-           (void)hv_store(hv, old_var, s - old_var, sv, 0);
+            if (hv_exists(hv, old_var, nlen)) {
+                const char *name = savepvn(old_var, nlen);
+
+                /* make sure we use the same value as getenv(), otherwise code that
+                   uses getenv() (like setlocale()) might see a different value to %ENV
+                 */
+                sv = newSVpv(PerlEnv_getenv(name), 0);
+
+                /* keep a count of the dups of this name so we can de-dup environ later */
+                if (hv_exists(dups, name, nlen))
+                    ++SvIVX(*hv_fetch(dups, name, nlen, 0));
+                else
+                    (void)hv_store(dups, name, nlen, newSViv(1), 0);
+
+                Safefree(name);
+            }
+            else {
+                sv = newSVpv(s+1, 0);
+            }
+           (void)hv_store(hv, old_var, nlen, sv, 0);
+            if (env_is_not_environ)
+                mg_set(sv);
+          }
+          if (HvKEYS(dups)) {
+              /* environ has some duplicate definitions, remove them */
+              HE *entry;
+              hv_iterinit(dups);
+              while ((entry = hv_iternext_flags(dups, 0))) {
+                  STRLEN nlen;
+                  const char *name = HePV(entry, nlen);
+                  IV count = SvIV(HeVAL(entry));
+                  IV i;
+                  SV **valp = hv_fetch(hv, name, nlen, 0);
+
+                  assert(valp);
+
+                  /* try to remove any duplicate names, depending on the
+                   * implementation used in my_setenv() the iteration might
+                   * not be necessary, but let's be safe.
+                   */
+                  for (i = 0; i < count; ++i)
+                      my_setenv(name, 0);
+
+                  /* and set it back to the value we set $ENV{name} to */
+                  my_setenv(name, SvPV_nolen(*valp));
+              }
+          }
+          SvREFCNT_dec_NN(dups);
+       }
+ #endif /* USE_ENVIRON_ARRAY */
+ #endif /* !PERL_MICRO */
diff --git a/meta/recipes-devtools/perl/perl_5.22.1.bb b/meta/recipes-devtools/perl/perl_5.22.1.bb
index 3bd0a6debc..04a2b6f481 100644
--- a/meta/recipes-devtools/perl/perl_5.22.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.22.1.bb
@@ -65,6 +65,7 @@ SRC_URI += " \
        file://perl-errno-generation-gcc5.patch \
        file://perl-fix-conflict-between-skip_all-and-END.patch \
        file://perl-test-customized.patch \
+        file://perl-fix-CVE-2016-2381.patch \
 "
 # Fix test case issues

diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch new file mode 100644 index 0000000000..0033ae0f63 --- /dev/null +++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch
@@ -0,0 +1,113 @@
		1	Upstream-Status: Backport
		2
		3	Backport patch to fix CVE-2016-2381 from
		4
		5	http://perl5.git.perl.org/perl.git/commitdiff/ae37b791a73a9e78dedb89fb2429d2628cf58076
		6
		7	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		8	---
		9	From: Tony Cook <tony@develop-help.com>
		10	Date: Wed, 27 Jan 2016 00:52:15 +0000 (+1100)
		11	Subject: remove duplicate environment variables from environ
		12	X-Git-Tag: v5.23.9~170
		13	X-Git-Url: http://perl5.git.perl.org/perl.git/commitdiff_plain/ae37b791a73a9e78dedb89fb2429d2628cf58076
		14
		15	remove duplicate environment variables from environ
		16
		17	If we see duplicate environment variables while iterating over
		18	environ[]:
		19
		20	a) make sure we use the same value in %ENV that getenv() returns.
		21
		22	Previously on a duplicate, %ENV would have the last entry for the name
		23	from environ[], but a typical getenv() would return the first entry.
		24
		25	Rather than assuming all getenv() implementations return the first entry
		26	explicitly call getenv() to ensure they agree.
		27
		28	b) remove duplicate entries from environ
		29
		30	Previously if there was a duplicate definition for a name in environ[]
		31	setting that name in %ENV could result in an unsafe value being passed
		32	to a child process, so ensure environ[] has no duplicates.
		33
		34	CVE-2016-2381
		35	---
		36
		37	diff --git a/perl.c b/perl.c
		38	index 4a324c6..5c71fd0 100644
		39	--- a/perl.c
		40	+++ b/perl.c
		41	@@ -4329,23 +4329,70 @@ S_init_postdump_symbols(pTHX_ int argc, char argv, char env)
		42	}
		43	if (env) {
		44	char s, old_var;
		45	+ STRLEN nlen;
		46	SV *sv;
		47	+ HV *dups = newHV();
		48	+
		49	for (; *env; env++) {
		50	old_var = *env;
		51
		52	if (!(s = strchr(old_var,'=')) \|\| s == old_var)
		53	continue;
		54	+ nlen = s - old_var;
		55
		56	#if defined(MSDOS) && !defined(DJGPP)
		57	*s = '\0';
		58	(void)strupr(old_var);
		59	*s = '=';
		60	#endif
		61	- sv = newSVpv(s+1, 0);
		62	- (void)hv_store(hv, old_var, s - old_var, sv, 0);
		63	+ if (hv_exists(hv, old_var, nlen)) {
		64	+ const char *name = savepvn(old_var, nlen);
		65	+
		66	+ /* make sure we use the same value as getenv(), otherwise code that
		67	+ uses getenv() (like setlocale()) might see a different value to %ENV
		68	+ */
		69	+ sv = newSVpv(PerlEnv_getenv(name), 0);
		70	+
		71	+ /* keep a count of the dups of this name so we can de-dup environ later */
		72	+ if (hv_exists(dups, name, nlen))
		73	+ ++SvIVX(*hv_fetch(dups, name, nlen, 0));
		74	+ else
		75	+ (void)hv_store(dups, name, nlen, newSViv(1), 0);
		76	+
		77	+ Safefree(name);
		78	+ }
		79	+ else {
		80	+ sv = newSVpv(s+1, 0);
		81	+ }
		82	+ (void)hv_store(hv, old_var, nlen, sv, 0);
		83	if (env_is_not_environ)
		84	mg_set(sv);
		85	}
		86	+ if (HvKEYS(dups)) {
		87	+ /* environ has some duplicate definitions, remove them */
		88	+ HE *entry;
		89	+ hv_iterinit(dups);
		90	+ while ((entry = hv_iternext_flags(dups, 0))) {
		91	+ STRLEN nlen;
		92	+ const char *name = HePV(entry, nlen);
		93	+ IV count = SvIV(HeVAL(entry));
		94	+ IV i;
		95	+ SV **valp = hv_fetch(hv, name, nlen, 0);
		96	+
		97	+ assert(valp);
		98	+
		99	+ /* try to remove any duplicate names, depending on the
		100	+ * implementation used in my_setenv() the iteration might
		101	+ * not be necessary, but let's be safe.
		102	+ */
		103	+ for (i = 0; i < count; ++i)
		104	+ my_setenv(name, 0);
		105	+
		106	+ /* and set it back to the value we set $ENV{name} to */
		107	+ my_setenv(name, SvPV_nolen(*valp));
		108	+ }
		109	+ }
		110	+ SvREFCNT_dec_NN(dups);
		111	}
		112	#endif /* USE_ENVIRON_ARRAY */
		113	#endif /* !PERL_MICRO */


diff --git a/meta/recipes-devtools/perl/perl_5.22.1.bb b/meta/recipes-devtools/perl/perl_5.22.1.bb index 3bd0a6debc..04a2b6f481 100644 --- a/meta/recipes-devtools/perl/perl_5.22.1.bb +++ b/meta/recipes-devtools/perl/perl_5.22.1.bb
@@ -65,6 +65,7 @@ SRC_URI += " \
65	file://perl-errno-generation-gcc5.patch \	65	file://perl-errno-generation-gcc5.patch \
66	file://perl-fix-conflict-between-skip_all-and-END.patch \	66	file://perl-fix-conflict-between-skip_all-and-END.patch \
67	file://perl-test-customized.patch \	67	file://perl-test-customized.patch \
		68	file://perl-fix-CVE-2016-2381.patch \
68	"	69	"
69		70
70	# Fix test case issues	71	# Fix test case issues