sysmo-bts
/
generic-poky
9
0
Fork 0
Code Pull Requests Releases Activity

perl: Backport 2 CVE Patches 

These patches are backported from upstream since it might be risky to update right now
They address the following CVEs

CVE-2012-6329
CVE-2013-1667

(From OE-Core rev: b6c286c447e50fe499f03b64c6be80ac18504265)

Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Saul Wold 2013-08-29 13:21:57 -07:00 committed by Richard Purdie
parent 25b8cc8409
commit 116441d6dc
3 changed files with 267 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
meta/recipes-devtools/perl/perl-5.14.3/0001-Fix-misparsing-of-maketext-strings.patch Normal file
View File

@ -0,0 +1,86 @@
From 1735f6f53ca19f99c6e9e39496c486af323ba6a8 Mon Sep 17 00:00:00 2001
From: Brian Carlson <brian.carlson@cpanel.net>
Date: Wed, 28 Nov 2012 08:54:33 -0500
Subject: [PATCH] Fix misparsing of maketext strings.
Case 61251: This commit fixes a misparse of maketext strings that could
lead to arbitrary code execution. Basically, maketext was compiling
bracket notation into functions, but neglected to escape backslashes
inside the content or die on fully-qualified method names when
generating the code. This change escapes all such backslashes and dies
when a method name with a colon or apostrophe is specified.
---
AUTHORS | 1 +
dist/Locale-Maketext/lib/Locale/Maketext.pm | 24 ++++++++----------------
2 files changed, 9 insertions(+), 16 deletions(-)
Upstream-Status: Backport
Signed-off-by: Saul Wold <sgw@linux.intel.com>
diff --git a/AUTHORS b/AUTHORS
index 70734b0..009dea0 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -154,6 +154,7 @@ Breno G. de Oliveira <garu@cpan.org>
Brent Dax <brentdax@cpan.org>
Brooks D Boyd
Brian Callaghan <callagh@itginc.com>
+Brian Carlson <brian.carlson@cpanel.net>
Brian Clarke <clarke@appliedmeta.com>
brian d foy <brian.d.foy@gmail.com>
Brian Fraser <fraserbn@gmail.com>
diff --git a/dist/Locale-Maketext/lib/Locale/Maketext.pm b/dist/Locale-Maketext/lib/Locale/Maketext.pm
index 4822027..63e5fba 100644
--- a/dist/Locale-Maketext/lib/Locale/Maketext.pm
+++ b/dist/Locale-Maketext/lib/Locale/Maketext.pm
@@ -625,21 +625,9 @@ sub _compile {
# 0-length method name means to just interpolate:
push @code, ' (';
}
- elsif($m =~ /^\w+(?:\:\:\w+)*$/s
- and $m !~ m/(?:^|\:)\d/s
- # exclude starting a (sub)package or symbol with a digit
+ elsif($m =~ /^\w+$/s
+ # exclude anything fancy, especially fully-qualified module names
) {
- # Yes, it even supports the demented (and undocumented?)
- # $obj->Foo::bar(...) syntax.
- $target->_die_pointing(
- $string_to_compile, q{Can't use "SUPER::" in a bracket-group method},
- 2 + length($c[-1])
- )
- if $m =~ m/^SUPER::/s;
- # Because for SUPER:: to work, we'd have to compile this into
- # the right package, and that seems just not worth the bother,
- # unless someone convinces me otherwise.
-
push @code, ' $_[0]->' . $m . '(';
}
else {
@@ -693,7 +681,9 @@ sub _compile {
elsif(substr($1,0,1) ne '~') {
# it's stuff not containing "~" or "[" or "]"
# i.e., a literal blob
- $c[-1] .= $1;
+ my $text = $1;
+ $text =~ s/\\/\\\\/g;
+ $c[-1] .= $text;
}
elsif($1 eq '~~') { # "~~"
@@ -731,7 +721,9 @@ sub _compile {
else {
# It's a "~X" where X is not a special character.
# Consider it a literal ~ and X.
- $c[-1] .= $1;
+ my $text = $1;
+ $text =~ s/\\/\\\\/g;
+ $c[-1] .= $text;
}
}
}
--
1.8.3.1

178
meta/recipes-devtools/perl/perl-5.14.3/0001-Prevent-premature-hsplit-calls-and-only-trigger-REHA.patch Normal file
View File

@ -0,0 +1,178 @@
From d59e31fc729d8a39a774f03bc6bc457029a7aef2 Mon Sep 17 00:00:00 2001
From: Yves Orton <demerphq@gmail.com>
Date: Tue, 12 Feb 2013 10:53:05 +0100
Subject: [PATCH] Prevent premature hsplit() calls, and only trigger REHASH
after hsplit()
Triggering a hsplit due to long chain length allows an attacker
to create a carefully chosen set of keys which can cause the hash
to use 2 * (2**32) * sizeof(void *) bytes ram. AKA a DOS via memory
exhaustion. Doing so also takes non trivial time.
Eliminating this check, and only inspecting chain length after a
normal hsplit() (triggered when keys>buckets) prevents the attack
entirely, and makes such attacks relatively benign.
(cherry picked from commit f1220d61455253b170e81427c9d0357831ca0fac)
Upstream-Status: Backport
Signed-off-by: Saul Wold <sgw@linux.intel.com>
---
ext/Hash-Util-FieldHash/t/10_hash.t | 18 ++++++++++++++++--
hv.c | 35 ++++++++---------------------------
t/op/hash.t | 20 +++++++++++++++++---
3 files changed, 41 insertions(+), 32 deletions(-)
diff --git a/ext/Hash-Util-FieldHash/t/10_hash.t b/ext/Hash-Util-FieldHash/t/10_hash.t
index 2cfb4e8..d58f053 100644
--- a/ext/Hash-Util-FieldHash/t/10_hash.t
+++ b/ext/Hash-Util-FieldHash/t/10_hash.t
@@ -38,15 +38,29 @@ use constant START => "a";
# some initial hash data
fieldhash my %h2;
-%h2 = map {$_ => 1} 'a'..'cc';
+my $counter= "a";
+$h2{$counter++}++ while $counter ne 'cd';
ok (!Internals::HvREHASH(%h2),
"starting with pre-populated non-pathological hash (rehash flag if off)");
my @keys = get_keys(\%h2);
+my $buckets= buckets(\%h2);
$h2{$_}++ for @keys;
+$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split
ok (Internals::HvREHASH(%h2),
- scalar(@keys) . " colliding into the same bucket keys are triggering rehash");
+ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split");
+
+# returns the number of buckets in a hash
+sub buckets {
+ my $hr = shift;
+ my $keys_buckets= scalar(%$hr);
+ if ($keys_buckets=~m!/([0-9]+)\z!) {
+ return 0+$1;
+ } else {
+ return 8;
+ }
+}
sub get_keys {
my $hr = shift;
diff --git a/hv.c b/hv.c
index 2be1feb..abb9d76 100644
--- a/hv.c
+++ b/hv.c
@@ -35,7 +35,8 @@ holds the key and hash value.
#define PERL_HASH_INTERNAL_ACCESS
#include "perl.h"
-#define HV_MAX_LENGTH_BEFORE_SPLIT 14
+#define HV_MAX_LENGTH_BEFORE_REHASH 14
+#define SHOULD_DO_HSPLIT(xhv) ((xhv)->xhv_keys > (xhv)->xhv_max) /* HvTOTALKEYS(hv) > HvMAX(hv) */
static const char S_strtab_error[]
= "Cannot modify shared string table in hv_%s";
@@ -794,29 +795,9 @@ Perl_hv_common(pTHX_ HV *hv, SV *keysv, const char *key, STRLEN klen,
if (masked_flags & HVhek_ENABLEHVKFLAGS)
HvHASKFLAGS_on(hv);
- {
- const HE *counter = HeNEXT(entry);
-
- xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
- if (!counter) { /* initial entry? */
- } else if (xhv->xhv_keys > xhv->xhv_max) {
- /* Use only the old HvKEYS(hv) > HvMAX(hv) condition to limit
- bucket splits on a rehashed hash, as we're not going to
- split it again, and if someone is lucky (evil) enough to
- get all the keys in one list they could exhaust our memory
- as we repeatedly double the number of buckets on every
- entry. Linear search feels a less worse thing to do. */
- hsplit(hv);
- } else if(!HvREHASH(hv)) {
- U32 n_links = 1;
-
- while ((counter = HeNEXT(counter)))
- n_links++;
-
- if (n_links > HV_MAX_LENGTH_BEFORE_SPLIT) {
- hsplit(hv);
- }
- }
+ xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
+ if ( SHOULD_DO_HSPLIT(xhv) ) {
+ hsplit(hv);
}
if (return_svp) {
@@ -1192,7 +1173,7 @@ S_hsplit(pTHX_ HV *hv)
/* Pick your policy for "hashing isn't working" here: */
- if (longest_chain <= HV_MAX_LENGTH_BEFORE_SPLIT /* split worked? */
+ if (longest_chain <= HV_MAX_LENGTH_BEFORE_REHASH /* split worked? */
|| HvREHASH(hv)) {
return;
}
@@ -2831,8 +2812,8 @@ S_share_hek_flags(pTHX_ const char *str, I32 len, register U32 hash, int flags)
xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */
if (!next) { /* initial entry? */
- } else if (xhv->xhv_keys > xhv->xhv_max /* HvKEYS(hv) > HvMAX(hv) */) {
- hsplit(PL_strtab);
+ } else if ( SHOULD_DO_HSPLIT(xhv) ) {
+ hsplit(PL_strtab);
}
}
diff --git a/t/op/hash.t b/t/op/hash.t
index 278bea7..201260a 100644
--- a/t/op/hash.t
+++ b/t/op/hash.t
@@ -39,22 +39,36 @@ use constant THRESHOLD => 14;
use constant START => "a";
# some initial hash data
-my %h2 = map {$_ => 1} 'a'..'cc';
+my %h2;
+my $counter= "a";
+$h2{$counter++}++ while $counter ne 'cd';
ok (!Internals::HvREHASH(%h2),
"starting with pre-populated non-pathological hash (rehash flag if off)");
my @keys = get_keys(\%h2);
+my $buckets= buckets(\%h2);
$h2{$_}++ for @keys;
+$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split
ok (Internals::HvREHASH(%h2),
- scalar(@keys) . " colliding into the same bucket keys are triggering rehash");
+ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split");
+
+# returns the number of buckets in a hash
+sub buckets {
+ my $hr = shift;
+ my $keys_buckets= scalar(%$hr);
+ if ($keys_buckets=~m!/([0-9]+)\z!) {
+ return 0+$1;
+ } else {
+ return 8;
+ }
+}
sub get_keys {
my $hr = shift;
# the minimum of bits required to mount the attack on a hash
my $min_bits = log(THRESHOLD)/log(2);
-
# if the hash has already been populated with a significant amount
# of entries the number of mask bits can be higher
my $keys = scalar keys %$hr;
--
1.8.3.1

3
meta/recipes-devtools/perl/perl_5.14.3.bb
View File

@ -65,6 +65,9 @@ SRC_URI = "http://www.cpan.org/src/5.0/perl-${PV}.tar.gz \
file://perl-archlib-exp.patch \
file://dynaloaderhack.patch \
\
file://0001-Fix-misparsing-of-maketext-strings.patch \
file://0001-Prevent-premature-hsplit-calls-and-only-trigger-REHA.patch \
\
file://config.sh \
file://config.sh-32 \
file://config.sh-32-le \