[pl/f18] Fix CVE-2012-6089

Fri Jan 4 11:58:50 UTC 2013

commit b76393320087a342edab9ca9cb17809b96525fe5
Author: Petr Písař <ppisar at redhat.com>
Date:   Fri Jan 4 12:49:44 2013 +0100

    Fix CVE-2012-6089

 pl-6.0.2-CVE-2012-6089.patch |   90 ++++++++++++++++++++++++++++++++++++++++++
 pl.spec                      |    8 +++-
 2 files changed, 97 insertions(+), 1 deletions(-)
---

diff --git a/pl-6.0.2-CVE-2012-6089.patch b/pl-6.0.2-CVE-2012-6089.patch
new file mode 100644
index 0000000..21afa1b
--- /dev/null
+++ b/pl-6.0.2-CVE-2012-6089.patch
@@ -0,0 +1,90 @@
+From a9a6fc8a2a9cf3b9154b490a4b1ffaa8be4d723c Mon Sep 17 00:00:00 2001
+From: Jan Wielemaker <J.Wielemaker at cs.vu.nl>
+Date: Sun, 16 Dec 2012 18:13:17 +0100
+Subject: [PATCH] FIXED: Possible buffer overrun in patch canonisation code.
+
+Pushes pointers on an automatic array without checking for overflow.
+Can be used for DoS attacks.  Will be extremely hard to make it execute
+arbitrary code.
+---
+ src/os/pl-buffer.h |  2 ++
+ src/os/pl-os.c     | 19 +++++++++++--------
+ 2 files changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/src/os/pl-buffer.h b/src/os/pl-buffer.h
+index 1e6262a..ba7e63f 100644
+--- a/src/os/pl-buffer.h
++++ b/src/os/pl-buffer.h
+@@ -101,6 +101,8 @@ f__allocFromBuffer(Buffer b, size_t bytes)
+ 				  sizeof((b)->static_buffer))
+ #define emptyBuffer(b)           ((b)->top  = (b)->base)
+ #define isEmptyBuffer(b)         ((b)->top == (b)->base)
++#define popBuffer(b,type) \
++	((b)->top -= sizeof(type), *(type*)(b)->top)
+ 
+ #define discardBuffer(b) \
+ 	do \
+diff --git a/src/os/pl-os.c b/src/os/pl-os.c
+index 54affbf..c1f4c77 100644
+--- a/src/os/pl-os.c
++++ b/src/os/pl-os.c
+@@ -1057,8 +1057,7 @@ cleanupExpand(void)
+ char *
+ canoniseFileName(char *path)
+ { char *out = path, *in = path, *start = path;
+-  char *osave[100];
+-  int  osavep = 0;
++  tmp_buffer saveb;
+ 
+ #ifdef O_HASDRIVES			/* C: */
+   if ( in[1] == ':' && isLetter(in[0]) )
+@@ -1097,7 +1096,8 @@ canoniseFileName(char *path)
+     in += 2;
+   if ( in[0] == '/' )
+     *out++ = '/';
+-  osave[osavep++] = out;
++  initBuffer(&saveb);
++  addBuffer(&saveb, out, char*);
+ 
+   while(*in)
+   { if (*in == '/')
+@@ -1113,15 +1113,15 @@ canoniseFileName(char *path)
+ 	  }
+ 	  if ( in[2] == EOS )		/* delete trailing /. */
+ 	  { *out = EOS;
+-	    return path;
++	    goto out;
+ 	  }
+ 	  if ( in[2] == '.' && (in[3] == '/' || in[3] == EOS) )
+-	  { if ( osavep > 0 )		/* delete /foo/../ */
+-	    { out = osave[--osavep];
++	  { if ( !isEmptyBuffer(&saveb) )		/* delete /foo/../ */
++	    { out = popBuffer(&saveb, char*);
+ 	      in += 3;
+ 	      if ( in[0] == EOS && out > start+1 )
+ 	      { out[-1] = EOS;		/* delete trailing / */
+-		return path;
++		goto out;
+ 	      }
+ 	      goto again;
+ 	    } else if (	start[0] == '/' && out == start+1 )
+@@ -1135,12 +1135,15 @@ canoniseFileName(char *path)
+ 	in++;
+       if ( out > path && out[-1] != '/' )
+ 	*out++ = '/';
+-      osave[osavep++] = out;
++      addBuffer(&saveb, out, char*);
+     } else
+       *out++ = *in++;
+   }
+   *out++ = *in++;
+ 
++out:
++  discardBuffer(&saveb);
++
+   return path;
+ }
+ 
+-- 
+1.7.11.7
+
diff --git a/pl.spec b/pl.spec
index 9ca085c..8dd6982 100644
--- a/pl.spec
+++ b/pl.spec
@@ -3,7 +3,7 @@
 
 Name:       pl
 Version:    6.0.2
-Release:    4%{?dist}
+Release:    5%{?dist}
 
 Summary:    SWI-Prolog - Edinburgh compatible Prolog compiler
 
@@ -27,6 +27,8 @@ Patch1:     %{name}-5.10.5-jpl-configure.patch
 Patch2:     %{name}-5.10.5-man-files.patch
 Patch3:     %{name}-6.0.2-jni.patch
 Patch4:     %{name}-5.10.5-pc.patch
+# Fix CVE-2012-6089, in upstream 6.2.5, bug #891666
+Patch5:     %{name}-6.0.2-CVE-2012-6089.patch
 
 # Base
 BuildRequires:  gmp-devel
@@ -165,6 +167,7 @@ in Prolog. In both setups it provides a re-entrant bidirectional interface.
 %patch2 -p1 -b .man-files
 %patch3 -p1 -b .jni
 %patch4 -p1 -b .pc
+%patch5 -p1 -b .CVE-2012-6089
 (
    cd src
    autoconf
@@ -324,6 +327,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/swipl-%{version}/xpce/bin/*-linux/xpce-client
 
 
 %changelog
+* Fri Jan 04 2013 Petr Pisar <ppisar at redhat.com> - 6.0.2-5
+- Fix CVE-2012-6089 (buffer overflows in path canonisation code) (bug #891666)
+
 * Fri Jul 27 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 6.0.2-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
 
