perl update for squeeze
On Mon, Dec 19, 2011 at 12:58:35PM +0000, Adam D. Barratt wrote:
> On 19.12.2011 11:30, Dominic Hargreaves wrote:
> >The security team has asked that we fix a couple of no-dsa issues in
> >the next squeeze point release. This bug
> >(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604902) was also
> >queued for a point release update.
> >
> >The proposed patch
> >
> ><http://perl5.git.perl.org/perl.git/commit/01be0729981136a058cce07a897ccdb94609e1c0>
> >
> >has been confirmed by the bug submitter as fixing the problem.
> >
> >Could you approve this fix for stable?
>
> The patch looks like it would be okay; thanks. However, in order to
> approve the upload for a point release, we'd need to see full
> debdiffs for the proposed package which would be uploaded.
Current debdiff (without finalised changelog) attached.
Cheers,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
diff --git a/debian/changelog b/debian/changelog
index cb90d02..cda36a6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+perl (5.10.1-17squeeze3) UNRELEASED; urgency=low
+
+ * [SECURITY] CVE-2011-2939: Fix decode_xs n-byte heap-overflow security
+ bug in Unicode.xs (Closes: #637376)
+ * [SECURITY] CVE-2011-3597: Fix unsafe use of eval in Digest->new();
+ thanks to Ansgar Burchardt for the notification (Closes: #644108)
+ * Unregister signal handler before destroying my_perl; fixes segfault
+ (Closes: #604902)
+
+ -- Dominic Hargreaves <dom@earth.li> Wed, 17 Aug 2011 00:24:10 +0100
+
perl (5.10.1-17squeeze2) stable-security; urgency=low
* [SECURITY] CVE-2010-1447: further Safe.pm fixes for breaking out
diff --git a/debian/patches/fixes/digest_eval_hole.diff b/debian/patches/fixes/digest_eval_hole.diff
new file mode 100644
index 0000000..9448534
--- /dev/null
+++ b/debian/patches/fixes/digest_eval_hole.diff
@@ -0,0 +1,33 @@
+From: "Michael G. Schwern" <schwern@pobox.com>
+Date: Mon, 3 Oct 2011 19:05:29 +0100
+Subject: Close the eval "require $module" security hole in
+ Digest->new($algorithm)
+
+Also the filter was incomplete.
+
+Bug-Debian: http://bugs.debian.org/644108
+
+Index: perl-squeeze/lib/Digest.pm
+===================================================================
+--- perl-squeeze.orig/lib/Digest.pm 2011-12-18 16:53:18.000000000 +0000
++++ perl-squeeze/lib/Digest.pm 2011-12-18 16:53:24.000000000 +0000
+@@ -24,7 +24,7 @@
+ shift; # class ignored
+ my $algorithm = shift;
+ my $impl = $MMAP{$algorithm} || do {
+- $algorithm =~ s/\W+//;
++ $algorithm =~ s/\W+//g;
+ "Digest::$algorithm";
+ };
+ $impl = [$impl] unless ref($impl);
+@@ -35,7 +35,9 @@
+ ($class, @args) = @$class if ref($class);
+ no strict 'refs';
+ unless (exists ${"$class\::"}{"VERSION"}) {
+- eval "require $class";
++ my $pm_file = $class . ".pm";
++ $pm_file =~ s{::}{/}g;
++ eval { require $pm_file };
+ if ($@) {
+ $err ||= $@;
+ next;
diff --git a/debian/patches/fixes/encode-heap-overflow.diff b/debian/patches/fixes/encode-heap-overflow.diff
new file mode 100644
index 0000000..df8850f
--- /dev/null
+++ b/debian/patches/fixes/encode-heap-overflow.diff
@@ -0,0 +1,29 @@
+From 3424efe3eae609b9787fcd80f6f66b5e8f00272a Mon Sep 17 00:00:00 2001
+From: Chris 'BinGOs' Williams <chris@bingosnet.co.uk>
+Date: Wed, 17 Aug 2011 00:21:57 +0100
+Subject: [PATCH] Fix decode_xs n-byte heap-overflow security bug in
+ Unicode.xs
+
+---
+ ext/Encode/Unicode/Unicode.xs | 5 +++-
+ 3 files changed, 9 insertions(+), 57 deletions(-)
+
+diff --git a/ext/Encode/Unicode/Unicode.xs b/ext/Encode/Unicode/Unicode.xs
+index 1f041d4..92005db 100644
+--- a/ext/Encode/Unicode/Unicode.xs
++++ b/ext/Encode/Unicode/Unicode.xs
+@@ -246,7 +246,10 @@ CODE:
+ This prevents allocating too much in the rogue case of a large
+ input consisting initially of long sequence uft8-byte unicode
+ chars followed by single utf8-byte chars. */
+- STRLEN remaining = (e - s)/usize;
++ /* +1
++ fixes Unicode.xs!decode_xs n-byte heap-overflow
++ */
++ STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */
+ STRLEN max_alloc = remaining + (8*1024*1024);
+ STRLEN est_alloc = remaining * UTF8_MAXLEN;
+ STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */
+--
+1.7.5.4
+
diff --git a/debian/patches/fixes/unregister_signal_handler.diff b/debian/patches/fixes/unregister_signal_handler.diff
new file mode 100644
index 0000000..cd8bf9f
--- /dev/null
+++ b/debian/patches/fixes/unregister_signal_handler.diff
@@ -0,0 +1,44 @@
+From 01be0729981136a058cce07a897ccdb94609e1c0 Mon Sep 17 00:00:00 2001
+From: John Wright <john@johnwright.org>
+Date: Wed, 6 May 2009 00:47:15 -0600
+Subject: [PATCH] main: Unregister signal handler before destroying my_perl
+
+If the signal handler runs after perl_destruct() has been called, it
+will get an invalid (or NULL) my_perl when it asks for the
+thread-specific interpreter struct. This patch resets the signal
+handler for any signal previously handled by PL_csighandlerp to SIG_DFL
+before calling perl_destruct().
+---
+ miniperlmain.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+diff --git a/miniperlmain.c b/miniperlmain.c
+index f60a3e0..f2302c2 100644
+--- a/miniperlmain.c
++++ b/miniperlmain.c
+@@ -67,7 +67,7 @@ main(int argc, char **argv, char **env)
+ #endif
+ {
+ dVAR;
+- int exitstatus;
++ int exitstatus, i;
+ #ifdef PERL_GLOBAL_STRUCT
+ struct perl_vars *plvarsp = init_global_struct();
+ # ifdef PERL_GLOBAL_STRUCT_PRIVATE
+@@ -116,6 +116,13 @@ main(int argc, char **argv, char **env)
+ if (!exitstatus)
+ perl_run(my_perl);
+
++ /* Unregister our signal handler before destroying my_perl */
++ for (i = 0; PL_sig_name[i]; i++) {
++ if (rsignal_state(PL_sig_num[i]) == (Sighandler_t) PL_csighandlerp) {
++ rsignal(PL_sig_num[i], (Sighandler_t) SIG_DFL);
++ }
++ }
++
+ exitstatus = perl_destruct(my_perl);
+
+ perl_free(my_perl);
+--
+1.7.4.1
+
diff --git a/debian/patches/patchlevel b/debian/patches/patchlevel
index 4d9091f..b80b60e 100644
--- a/debian/patches/patchlevel
+++ b/debian/patches/patchlevel
@@ -1,4 +1,4 @@
-Subject: List packaged patches for 5.10.1-17squeeze2 in patchlevel.h
+Subject: List packaged patches for 5.10.1-17squeeze3 in patchlevel.h
Origin: vendor
Bug-Debian: http://bugs.debian.org/567489
@@ -8,7 +8,7 @@ The list can be refreshed from information in debian/patches by running
--- perl/patchlevel.bak
+++ perl/patchlevel.h
-@@ -133,0 +134,53 @@
+@@ -133,0 +134,56 @@
+ ,"DEBPKG:debian/arm_thread_stress_timeout - http://bugs.debian.org/501970 Raise the timeout of ext/threads/shared/t/stress.t to accommodate slower build hosts"
+ ,"DEBPKG:debian/cpan_config_path - Set location of CPAN::Config to /etc/perl as /usr may not be writable."
+ ,"DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN."
@@ -61,4 +61,7 @@ The list can be refreshed from information in debian/patches by running
+ ,"DEBPKG:fixes/cgi-multiline-header - http://bugs.debian.org/606995 [CVE-2010-2761 CVE-2010-4410 CVE-2010-4411] CGI.pm MIME boundary and multiline header vulnerabilities"
+ ,"DEBPKG:fixes/casing-taint-cve-2011-1487 - http://bugs.debian.org/622817 [perl #87336] fix unwanted taint laundering in lc(), uc() et al."
+ ,"DEBPKG:fixes/safe-reval-rdo-cve-2010-1447 - [PATCH] Wrap by default coderefs returned by rdo and reval"
-+ ,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze2 in patchlevel.h"
++ ,"DEBPKG:fixes/encode-heap-overflow - [PATCH] Fix decode_xs n-byte heap-overflow security bug in"
++ ,"DEBPKG:fixes/digest_eval_hole - Close the eval \"require $module\" security hole in"
++ ,"DEBPKG:fixes/unregister_signal_handler - [PATCH] main: Unregister signal handler before destroying my_perl"
++ ,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze3 in patchlevel.h"
diff --git a/debian/patches/series b/debian/patches/series
index b49b0f7..bb93dca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -50,4 +50,7 @@ fixes/concat-stack-corruption.diff -p1
fixes/cgi-multiline-header.diff -p1
fixes/casing-taint-cve-2011-1487.diff -p1
fixes/safe-reval-rdo-cve-2010-1447.diff -p1
+fixes/encode-heap-overflow.diff -p1
+fixes/digest_eval_hole.diff
+fixes/unregister_signal_handler.diff
patchlevel -p1
diff --git a/debian/rules b/debian/rules
index 96f2b8d..52e1f0b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -436,6 +436,7 @@ refresh-patchlevel: $(patches)
grep -q $(patchlevelpatch) $(patches) || echo '$(patchlevelpatch) -p1' >> $(patches)
sed s/VERSION/$(package_version)/ debian/$(patchlevelpatch).head > debian/patches/$(patchlevelpatch)
perl debian/list-patches $(patchprefix) < $(patches) | \
+ sed -e 's/\"/\\\"/g' | \
xargs -d\\n -r perl -x patchlevel.h
diff --unified=0 patchlevel.bak patchlevel.h | \
filterdiff --remove-timestamps --addprefix perl/ >> debian/patches/$(patchlevelpatch)
diff --git a/ext/Encode/Unicode/Unicode.xs b/ext/Encode/Unicode/Unicode.xs
index 1f041d4..92005db 100644
--- a/ext/Encode/Unicode/Unicode.xs
+++ b/ext/Encode/Unicode/Unicode.xs
@@ -246,7 +246,10 @@ CODE:
This prevents allocating too much in the rogue case of a large
input consisting initially of long sequence uft8-byte unicode
chars followed by single utf8-byte chars. */
- STRLEN remaining = (e - s)/usize;
+ /* +1
+ fixes Unicode.xs!decode_xs n-byte heap-overflow
+ */
+ STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */
STRLEN max_alloc = remaining + (8*1024*1024);
STRLEN est_alloc = remaining * UTF8_MAXLEN;
STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */
diff --git a/lib/Digest.pm b/lib/Digest.pm
index 384dfc8..d714434 100644
--- a/lib/Digest.pm
+++ b/lib/Digest.pm
@@ -24,7 +24,7 @@ sub new
shift; # class ignored
my $algorithm = shift;
my $impl = $MMAP{$algorithm} || do {
- $algorithm =~ s/\W+//;
+ $algorithm =~ s/\W+//g;
"Digest::$algorithm";
};
$impl = [$impl] unless ref($impl);
@@ -35,7 +35,9 @@ sub new
($class, @args) = @$class if ref($class);
no strict 'refs';
unless (exists ${"$class\::"}{"VERSION"}) {
- eval "require $class";
+ my $pm_file = $class . ".pm";
+ $pm_file =~ s{::}{/}g;
+ eval { require $pm_file };
if ($@) {
$err ||= $@;
next;
diff --git a/miniperlmain.c b/miniperlmain.c
index f60a3e0..f2302c2 100644
--- a/miniperlmain.c
+++ b/miniperlmain.c
@@ -67,7 +67,7 @@ main(int argc, char **argv, char **env)
#endif
{
dVAR;
- int exitstatus;
+ int exitstatus, i;
#ifdef PERL_GLOBAL_STRUCT
struct perl_vars *plvarsp = init_global_struct();
# ifdef PERL_GLOBAL_STRUCT_PRIVATE
@@ -116,6 +116,13 @@ main(int argc, char **argv, char **env)
if (!exitstatus)
perl_run(my_perl);
+ /* Unregister our signal handler before destroying my_perl */
+ for (i = 0; PL_sig_name[i]; i++) {
+ if (rsignal_state(PL_sig_num[i]) == (Sighandler_t) PL_csighandlerp) {
+ rsignal(PL_sig_num[i], (Sighandler_t) SIG_DFL);
+ }
+ }
+
exitstatus = perl_destruct(my_perl);
perl_free(my_perl);
diff --git a/patchlevel.h b/patchlevel.h
index 53506f4..4bd39fa 100644
--- a/patchlevel.h
+++ b/patchlevel.h
@@ -183,7 +183,10 @@ static const char * const local_patches[] = {
,"DEBPKG:fixes/cgi-multiline-header - http://bugs.debian.org/606995 [CVE-2010-2761 CVE-2010-4410 CVE-2010-4411] CGI.pm MIME boundary and multiline header vulnerabilities"
,"DEBPKG:fixes/casing-taint-cve-2011-1487 - http://bugs.debian.org/622817 [perl #87336] fix unwanted taint laundering in lc(), uc() et al."
,"DEBPKG:fixes/safe-reval-rdo-cve-2010-1447 - [PATCH] Wrap by default coderefs returned by rdo and reval"
- ,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze2 in patchlevel.h"
+ ,"DEBPKG:fixes/encode-heap-overflow - [PATCH] Fix decode_xs n-byte heap-overflow security bug in"
+ ,"DEBPKG:fixes/digest_eval_hole - Close the eval \"require $module\" security hole in"
+ ,"DEBPKG:fixes/unregister_signal_handler - [PATCH] main: Unregister signal handler before destroying my_perl"
+ ,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze3 in patchlevel.h"
,NULL
};
Reply to: