perl: Backport 2 CVE Patches
These patches are backported from upstream since it might be risky to update right now They address the following CVEs CVE-2012-6329 CVE-2013-1667 (From OE-Core rev: b6c286c447e50fe499f03b64c6be80ac18504265) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
25b8cc8409
commit
116441d6dc
|
@ -0,0 +1,86 @@
|
|||
From 1735f6f53ca19f99c6e9e39496c486af323ba6a8 Mon Sep 17 00:00:00 2001
|
||||
From: Brian Carlson <brian.carlson@cpanel.net>
|
||||
Date: Wed, 28 Nov 2012 08:54:33 -0500
|
||||
Subject: [PATCH] Fix misparsing of maketext strings.
|
||||
|
||||
Case 61251: This commit fixes a misparse of maketext strings that could
|
||||
lead to arbitrary code execution. Basically, maketext was compiling
|
||||
bracket notation into functions, but neglected to escape backslashes
|
||||
inside the content or die on fully-qualified method names when
|
||||
generating the code. This change escapes all such backslashes and dies
|
||||
when a method name with a colon or apostrophe is specified.
|
||||
---
|
||||
AUTHORS | 1 +
|
||||
dist/Locale-Maketext/lib/Locale/Maketext.pm | 24 ++++++++----------------
|
||||
2 files changed, 9 insertions(+), 16 deletions(-)
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
||||
|
||||
|
||||
diff --git a/AUTHORS b/AUTHORS
|
||||
index 70734b0..009dea0 100644
|
||||
--- a/AUTHORS
|
||||
+++ b/AUTHORS
|
||||
@@ -154,6 +154,7 @@ Breno G. de Oliveira <garu@cpan.org>
|
||||
Brent Dax <brentdax@cpan.org>
|
||||
Brooks D Boyd
|
||||
Brian Callaghan <callagh@itginc.com>
|
||||
+Brian Carlson <brian.carlson@cpanel.net>
|
||||
Brian Clarke <clarke@appliedmeta.com>
|
||||
brian d foy <brian.d.foy@gmail.com>
|
||||
Brian Fraser <fraserbn@gmail.com>
|
||||
diff --git a/dist/Locale-Maketext/lib/Locale/Maketext.pm b/dist/Locale-Maketext/lib/Locale/Maketext.pm
|
||||
index 4822027..63e5fba 100644
|
||||
--- a/dist/Locale-Maketext/lib/Locale/Maketext.pm
|
||||
+++ b/dist/Locale-Maketext/lib/Locale/Maketext.pm
|
||||
@@ -625,21 +625,9 @@ sub _compile {
|
||||
# 0-length method name means to just interpolate:
|
||||
push @code, ' (';
|
||||
}
|
||||
- elsif($m =~ /^\w+(?:\:\:\w+)*$/s
|
||||
- and $m !~ m/(?:^|\:)\d/s
|
||||
- # exclude starting a (sub)package or symbol with a digit
|
||||
+ elsif($m =~ /^\w+$/s
|
||||
+ # exclude anything fancy, especially fully-qualified module names
|
||||
) {
|
||||
- # Yes, it even supports the demented (and undocumented?)
|
||||
- # $obj->Foo::bar(...) syntax.
|
||||
- $target->_die_pointing(
|
||||
- $string_to_compile, q{Can't use "SUPER::" in a bracket-group method},
|
||||
- 2 + length($c[-1])
|
||||
- )
|
||||
- if $m =~ m/^SUPER::/s;
|
||||
- # Because for SUPER:: to work, we'd have to compile this into
|
||||
- # the right package, and that seems just not worth the bother,
|
||||
- # unless someone convinces me otherwise.
|
||||
-
|
||||
push @code, ' $_[0]->' . $m . '(';
|
||||
}
|
||||
else {
|
||||
@@ -693,7 +681,9 @@ sub _compile {
|
||||
elsif(substr($1,0,1) ne '~') {
|
||||
# it's stuff not containing "~" or "[" or "]"
|
||||
# i.e., a literal blob
|
||||
- $c[-1] .= $1;
|
||||
+ my $text = $1;
|
||||
+ $text =~ s/\\/\\\\/g;
|
||||
+ $c[-1] .= $text;
|
||||
|
||||
}
|
||||
elsif($1 eq '~~') { # "~~"
|
||||
@@ -731,7 +721,9 @@ sub _compile {
|
||||
else {
|
||||
# It's a "~X" where X is not a special character.
|
||||
# Consider it a literal ~ and X.
|
||||
- $c[-1] .= $1;
|
||||
+ my $text = $1;
|
||||
+ $text =~ s/\\/\\\\/g;
|
||||
+ $c[-1] .= $text;
|
||||
}
|
||||
}
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
|
|
@ -0,0 +1,178 @@
|
|||
From d59e31fc729d8a39a774f03bc6bc457029a7aef2 Mon Sep 17 00:00:00 2001
|
||||
From: Yves Orton <demerphq@gmail.com>
|
||||
Date: Tue, 12 Feb 2013 10:53:05 +0100
|
||||
Subject: [PATCH] Prevent premature hsplit() calls, and only trigger REHASH
|
||||
after hsplit()
|
||||
|
||||
Triggering a hsplit due to long chain length allows an attacker
|
||||
to create a carefully chosen set of keys which can cause the hash
|
||||
to use 2 * (2**32) * sizeof(void *) bytes ram. AKA a DOS via memory
|
||||
exhaustion. Doing so also takes non trivial time.
|
||||
|
||||
Eliminating this check, and only inspecting chain length after a
|
||||
normal hsplit() (triggered when keys>buckets) prevents the attack
|
||||
entirely, and makes such attacks relatively benign.
|
||||
|
||||
(cherry picked from commit f1220d61455253b170e81427c9d0357831ca0fac)
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
||||
|
||||
|
||||
---
|
||||
ext/Hash-Util-FieldHash/t/10_hash.t | 18 ++++++++++++++++--
|
||||
hv.c | 35 ++++++++---------------------------
|
||||
t/op/hash.t | 20 +++++++++++++++++---
|
||||
3 files changed, 41 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/ext/Hash-Util-FieldHash/t/10_hash.t b/ext/Hash-Util-FieldHash/t/10_hash.t
|
||||
index 2cfb4e8..d58f053 100644
|
||||
--- a/ext/Hash-Util-FieldHash/t/10_hash.t
|
||||
+++ b/ext/Hash-Util-FieldHash/t/10_hash.t
|
||||
@@ -38,15 +38,29 @@ use constant START => "a";
|
||||
|
||||
# some initial hash data
|
||||
fieldhash my %h2;
|
||||
-%h2 = map {$_ => 1} 'a'..'cc';
|
||||
+my $counter= "a";
|
||||
+$h2{$counter++}++ while $counter ne 'cd';
|
||||
|
||||
ok (!Internals::HvREHASH(%h2),
|
||||
"starting with pre-populated non-pathological hash (rehash flag if off)");
|
||||
|
||||
my @keys = get_keys(\%h2);
|
||||
+my $buckets= buckets(\%h2);
|
||||
$h2{$_}++ for @keys;
|
||||
+$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split
|
||||
ok (Internals::HvREHASH(%h2),
|
||||
- scalar(@keys) . " colliding into the same bucket keys are triggering rehash");
|
||||
+ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split");
|
||||
+
|
||||
+# returns the number of buckets in a hash
|
||||
+sub buckets {
|
||||
+ my $hr = shift;
|
||||
+ my $keys_buckets= scalar(%$hr);
|
||||
+ if ($keys_buckets=~m!/([0-9]+)\z!) {
|
||||
+ return 0+$1;
|
||||
+ } else {
|
||||
+ return 8;
|
||||
+ }
|
||||
+}
|
||||
|
||||
sub get_keys {
|
||||
my $hr = shift;
|
||||
diff --git a/hv.c b/hv.c
|
||||
index 2be1feb..abb9d76 100644
|
||||
--- a/hv.c
|
||||
+++ b/hv.c
|
||||
@@ -35,7 +35,8 @@ holds the key and hash value.
|
||||
#define PERL_HASH_INTERNAL_ACCESS
|
||||
#include "perl.h"
|
||||
|
||||
-#define HV_MAX_LENGTH_BEFORE_SPLIT 14
|
||||
+#define HV_MAX_LENGTH_BEFORE_REHASH 14
|
||||
+#define SHOULD_DO_HSPLIT(xhv) ((xhv)->xhv_keys > (xhv)->xhv_max) /* HvTOTALKEYS(hv) > HvMAX(hv) */
|
||||
|
||||
static const char S_strtab_error[]
|
||||
= "Cannot modify shared string table in hv_%s";
|
||||
@@ -794,29 +795,9 @@ Perl_hv_common(pTHX_ HV *hv, SV *keysv, const char *key, STRLEN klen,
|
||||
if (masked_flags & HVhek_ENABLEHVKFLAGS)
|
||||
HvHASKFLAGS_on(hv);
|
||||
|
||||
- {
|
||||
- const HE *counter = HeNEXT(entry);
|
||||
-
|
||||
- xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
|
||||
- if (!counter) { /* initial entry? */
|
||||
- } else if (xhv->xhv_keys > xhv->xhv_max) {
|
||||
- /* Use only the old HvKEYS(hv) > HvMAX(hv) condition to limit
|
||||
- bucket splits on a rehashed hash, as we're not going to
|
||||
- split it again, and if someone is lucky (evil) enough to
|
||||
- get all the keys in one list they could exhaust our memory
|
||||
- as we repeatedly double the number of buckets on every
|
||||
- entry. Linear search feels a less worse thing to do. */
|
||||
- hsplit(hv);
|
||||
- } else if(!HvREHASH(hv)) {
|
||||
- U32 n_links = 1;
|
||||
-
|
||||
- while ((counter = HeNEXT(counter)))
|
||||
- n_links++;
|
||||
-
|
||||
- if (n_links > HV_MAX_LENGTH_BEFORE_SPLIT) {
|
||||
- hsplit(hv);
|
||||
- }
|
||||
- }
|
||||
+ xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
|
||||
+ if ( SHOULD_DO_HSPLIT(xhv) ) {
|
||||
+ hsplit(hv);
|
||||
}
|
||||
|
||||
if (return_svp) {
|
||||
@@ -1192,7 +1173,7 @@ S_hsplit(pTHX_ HV *hv)
|
||||
|
||||
|
||||
/* Pick your policy for "hashing isn't working" here: */
|
||||
- if (longest_chain <= HV_MAX_LENGTH_BEFORE_SPLIT /* split worked? */
|
||||
+ if (longest_chain <= HV_MAX_LENGTH_BEFORE_REHASH /* split worked? */
|
||||
|| HvREHASH(hv)) {
|
||||
return;
|
||||
}
|
||||
@@ -2831,8 +2812,8 @@ S_share_hek_flags(pTHX_ const char *str, I32 len, register U32 hash, int flags)
|
||||
|
||||
xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
|
||||
if (!next) { /* initial entry? */
|
||||
- } else if (xhv->xhv_keys > xhv->xhv_max /* HvKEYS(hv) > HvMAX(hv) */) {
|
||||
- hsplit(PL_strtab);
|
||||
+ } else if ( SHOULD_DO_HSPLIT(xhv) ) {
|
||||
+ hsplit(PL_strtab);
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/t/op/hash.t b/t/op/hash.t
|
||||
index 278bea7..201260a 100644
|
||||
--- a/t/op/hash.t
|
||||
+++ b/t/op/hash.t
|
||||
@@ -39,22 +39,36 @@ use constant THRESHOLD => 14;
|
||||
use constant START => "a";
|
||||
|
||||
# some initial hash data
|
||||
-my %h2 = map {$_ => 1} 'a'..'cc';
|
||||
+my %h2;
|
||||
+my $counter= "a";
|
||||
+$h2{$counter++}++ while $counter ne 'cd';
|
||||
|
||||
ok (!Internals::HvREHASH(%h2),
|
||||
"starting with pre-populated non-pathological hash (rehash flag if off)");
|
||||
|
||||
my @keys = get_keys(\%h2);
|
||||
+my $buckets= buckets(\%h2);
|
||||
$h2{$_}++ for @keys;
|
||||
+$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split
|
||||
ok (Internals::HvREHASH(%h2),
|
||||
- scalar(@keys) . " colliding into the same bucket keys are triggering rehash");
|
||||
+ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split");
|
||||
+
|
||||
+# returns the number of buckets in a hash
|
||||
+sub buckets {
|
||||
+ my $hr = shift;
|
||||
+ my $keys_buckets= scalar(%$hr);
|
||||
+ if ($keys_buckets=~m!/([0-9]+)\z!) {
|
||||
+ return 0+$1;
|
||||
+ } else {
|
||||
+ return 8;
|
||||
+ }
|
||||
+}
|
||||
|
||||
sub get_keys {
|
||||
my $hr = shift;
|
||||
|
||||
# the minimum of bits required to mount the attack on a hash
|
||||
my $min_bits = log(THRESHOLD)/log(2);
|
||||
-
|
||||
# if the hash has already been populated with a significant amount
|
||||
# of entries the number of mask bits can be higher
|
||||
my $keys = scalar keys %$hr;
|
||||
--
|
||||
1.8.3.1
|
||||
|
|
@ -65,6 +65,9 @@ SRC_URI = "http://www.cpan.org/src/5.0/perl-${PV}.tar.gz \
|
|||
file://perl-archlib-exp.patch \
|
||||
file://dynaloaderhack.patch \
|
||||
\
|
||||
file://0001-Fix-misparsing-of-maketext-strings.patch \
|
||||
file://0001-Prevent-premature-hsplit-calls-and-only-trigger-REHA.patch \
|
||||
\
|
||||
file://config.sh \
|
||||
file://config.sh-32 \
|
||||
file://config.sh-32-le \
|
||||
|
|
Loading…
Reference in New Issue