Re: [PATCH] perl-5.14.3:fix CVE-2010-4777

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Saul Wold <sgw@linux.intel.com>
To: rongqing.li@windriver.com, openembedded-core@lists.openembedded.org
Subject: Re: [PATCH] perl-5.14.3:fix CVE-2010-4777
Date: Mon, 19 May 2014 08:23:20 -0700	[thread overview]
Message-ID: <537A21E8.5010000@linux.intel.com> (raw)
In-Reply-To: <1400124104-10777-1-git-send-email-rongqing.li@windriver.com>

On 05/14/2014 08:21 PM, rongqing.li@windriver.com wrote:
> From: "yanjun.zhu" <yanjun.zhu@windriver.com>
>
> The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0,
> 5.14.0, and other versions, when running with debugging enabled,
> allows context-dependent attackers to cause a denial of service
> (assertion failure and application exit) via crafted input that
> is not properly handled when using certain regular expressions,
> as demonstrated by causing SpamAssassin and OCSInventory to
> crash.
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4777
> Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
> Signed-off-by: Roy Li <rongqing.li@windriver.com>
> ---
>   .../perl-5.14.3-fix-CVE-2010-4777.patch            |   30 ++++++++++++++++++++
>   meta/recipes-devtools/perl/perl-native_5.14.3.bb   |    3 +-
>   meta/recipes-devtools/perl/perl_5.14.3.bb          |    3 +-
>   3 files changed, 34 insertions(+), 2 deletions(-)
>   create mode 100644 meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
>
> diff --git a/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
> new file mode 100644
> index 0000000..bb726c8
> --- /dev/null
> +++ b/meta/recipes-devtools/perl/perl-5.14.3/perl-5.14.3-fix-CVE-2010-4777.patch
> @@ -0,0 +1,30 @@

Another .patch file missing Upstream-Status and Signed-off-by

Sau!

> +--- a/regcomp.c
> ++++ b/regcomp.c
> +@@ -11868,8 +11868,25 @@ Perl_save_re_context(pTHX)
> +
> + 		if (gvp) {
> + 		    GV * const gv = *gvp;
> +-		    if (SvTYPE(gv) == SVt_PVGV && GvSV(gv))
> +-			save_scalar(gv);
> ++		    if (SvTYPE(gv) == SVt_PVGV && GvSV(gv)) {
> ++			/* this is a copy of save_scalar() without the GETMAGIC call, RT#76538 */
> ++			SV ** const sptr = &GvSVn(gv);
> ++			SV * osv = *sptr;
> ++			SV * nsv = newSV(0);
> ++			save_pushptrptr(SvREFCNT_inc_simple(gv),
> ++			SvREFCNT_inc(osv), SAVEt_SV);
> ++			if (SvTYPE(osv) >= SVt_PVMG && SvMAGIC(osv) &&
> ++			    SvTYPE(osv) != SVt_PVGV) {
> ++			    if (SvGMAGICAL(osv)) {
> ++				const bool oldtainted = PL_tainted;
> ++				SvFLAGS(osv) |= (SvFLAGS(osv) &
> ++				    (SVp_IOK|SVp_NOK|SVp_POK)) >> PRIVSHIFT;
> ++				PL_tainted = oldtainted;
> ++			    }
> ++			    mg_localize(osv, nsv, 1);
> ++			}
> ++			*sptr = nsv;
> ++		    }
> + 		}
> + 	    }
> + 	}
> diff --git a/meta/recipes-devtools/perl/perl-native_5.14.3.bb b/meta/recipes-devtools/perl/perl-native_5.14.3.bb
> index 2ef0a51..c38be41 100644
> --- a/meta/recipes-devtools/perl/perl-native_5.14.3.bb
> +++ b/meta/recipes-devtools/perl/perl-native_5.14.3.bb
> @@ -17,7 +17,8 @@ SRC_URI = "http://www.cpan.org/src/5.0/perl-${PV}.tar.gz \
>              file://MM_Unix.pm.patch \
>              file://debian/errno_ver.diff \
>              file://dynaloaderhack.patch \
> -           file://perl-build-in-t-dir.patch"
> +           file://perl-build-in-t-dir.patch \
> +           file://perl-5.14.3-fix-CVE-2010-4777.patch "
>
>   SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"
>   SRC_URI[sha256sum] = "03638a4f01bc26b81231233671524b4163849a3a9ea5cc2397293080c4ea339f"
> diff --git a/meta/recipes-devtools/perl/perl_5.14.3.bb b/meta/recipes-devtools/perl/perl_5.14.3.bb
> index c307b99..fcd665b 100644
> --- a/meta/recipes-devtools/perl/perl_5.14.3.bb
> +++ b/meta/recipes-devtools/perl/perl_5.14.3.bb
> @@ -74,7 +74,8 @@ SRC_URI = "http://www.cpan.org/src/5.0/perl-${PV}.tar.gz \
>           file://config.sh-32-be \
>           file://config.sh-64 \
>           file://config.sh-64-le \
> -        file://config.sh-64-be"
> +        file://config.sh-64-be \
> +        file://perl-5.14.3-fix-CVE-2010-4777.patch "
>   #	file://debian/fakeroot.diff
>
>   SRC_URI[md5sum] = "f6a3d878c688d111b495c87db56c5be5"
>

next prev parent reply	other threads:[~2014-05-19 15:23 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-15  3:21 [PATCH] perl-5.14.3:fix CVE-2010-4777 rongqing.li
2014-05-19 15:23 ` Saul Wold [this message]
2014-05-20  1:27 ` [PATCH v2] perl: fix for CVE-2010-4777 rongqing.li

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=537A21E8.5010000@linux.intel.com \
    --to=sgw@linux.intel.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=rongqing.li@windriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox