[pl/f18] Fix CVE-2012-6089
Petr Pisar
ppisar at fedoraproject.org
Fri Jan 4 11:58:50 UTC 2013
commit b76393320087a342edab9ca9cb17809b96525fe5
Author: Petr Písař <ppisar at redhat.com>
Date: Fri Jan 4 12:49:44 2013 +0100
Fix CVE-2012-6089
pl-6.0.2-CVE-2012-6089.patch | 90 ++++++++++++++++++++++++++++++++++++++++++
pl.spec | 8 +++-
2 files changed, 97 insertions(+), 1 deletions(-)
---
diff --git a/pl-6.0.2-CVE-2012-6089.patch b/pl-6.0.2-CVE-2012-6089.patch
new file mode 100644
index 0000000..21afa1b
--- /dev/null
+++ b/pl-6.0.2-CVE-2012-6089.patch
@@ -0,0 +1,90 @@
+From a9a6fc8a2a9cf3b9154b490a4b1ffaa8be4d723c Mon Sep 17 00:00:00 2001
+From: Jan Wielemaker <J.Wielemaker at cs.vu.nl>
+Date: Sun, 16 Dec 2012 18:13:17 +0100
+Subject: [PATCH] FIXED: Possible buffer overrun in patch canonisation code.
+
+Pushes pointers on an automatic array without checking for overflow.
+Can be used for DoS attacks. Will be extremely hard to make it execute
+arbitrary code.
+---
+ src/os/pl-buffer.h | 2 ++
+ src/os/pl-os.c | 19 +++++++++++--------
+ 2 files changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/src/os/pl-buffer.h b/src/os/pl-buffer.h
+index 1e6262a..ba7e63f 100644
+--- a/src/os/pl-buffer.h
++++ b/src/os/pl-buffer.h
+@@ -101,6 +101,8 @@ f__allocFromBuffer(Buffer b, size_t bytes)
+ sizeof((b)->static_buffer))
+ #define emptyBuffer(b) ((b)->top = (b)->base)
+ #define isEmptyBuffer(b) ((b)->top == (b)->base)
++#define popBuffer(b,type) \
++ ((b)->top -= sizeof(type), *(type*)(b)->top)
+
+ #define discardBuffer(b) \
+ do \
+diff --git a/src/os/pl-os.c b/src/os/pl-os.c
+index 54affbf..c1f4c77 100644
+--- a/src/os/pl-os.c
++++ b/src/os/pl-os.c
+@@ -1057,8 +1057,7 @@ cleanupExpand(void)
+ char *
+ canoniseFileName(char *path)
+ { char *out = path, *in = path, *start = path;
+- char *osave[100];
+- int osavep = 0;
++ tmp_buffer saveb;
+
+ #ifdef O_HASDRIVES /* C: */
+ if ( in[1] == ':' && isLetter(in[0]) )
+@@ -1097,7 +1096,8 @@ canoniseFileName(char *path)
+ in += 2;
+ if ( in[0] == '/' )
+ *out++ = '/';
+- osave[osavep++] = out;
++ initBuffer(&saveb);
++ addBuffer(&saveb, out, char*);
+
+ while(*in)
+ { if (*in == '/')
+@@ -1113,15 +1113,15 @@ canoniseFileName(char *path)
+ }
+ if ( in[2] == EOS ) /* delete trailing /. */
+ { *out = EOS;
+- return path;
++ goto out;
+ }
+ if ( in[2] == '.' && (in[3] == '/' || in[3] == EOS) )
+- { if ( osavep > 0 ) /* delete /foo/../ */
+- { out = osave[--osavep];
++ { if ( !isEmptyBuffer(&saveb) ) /* delete /foo/../ */
++ { out = popBuffer(&saveb, char*);
+ in += 3;
+ if ( in[0] == EOS && out > start+1 )
+ { out[-1] = EOS; /* delete trailing / */
+- return path;
++ goto out;
+ }
+ goto again;
+ } else if ( start[0] == '/' && out == start+1 )
+@@ -1135,12 +1135,15 @@ canoniseFileName(char *path)
+ in++;
+ if ( out > path && out[-1] != '/' )
+ *out++ = '/';
+- osave[osavep++] = out;
++ addBuffer(&saveb, out, char*);
+ } else
+ *out++ = *in++;
+ }
+ *out++ = *in++;
+
++out:
++ discardBuffer(&saveb);
++
+ return path;
+ }
+
+--
+1.7.11.7
+
diff --git a/pl.spec b/pl.spec
index 9ca085c..8dd6982 100644
--- a/pl.spec
+++ b/pl.spec
@@ -3,7 +3,7 @@
Name: pl
Version: 6.0.2
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: SWI-Prolog - Edinburgh compatible Prolog compiler
@@ -27,6 +27,8 @@ Patch1: %{name}-5.10.5-jpl-configure.patch
Patch2: %{name}-5.10.5-man-files.patch
Patch3: %{name}-6.0.2-jni.patch
Patch4: %{name}-5.10.5-pc.patch
+# Fix CVE-2012-6089, in upstream 6.2.5, bug #891666
+Patch5: %{name}-6.0.2-CVE-2012-6089.patch
# Base
BuildRequires: gmp-devel
@@ -165,6 +167,7 @@ in Prolog. In both setups it provides a re-entrant bidirectional interface.
%patch2 -p1 -b .man-files
%patch3 -p1 -b .jni
%patch4 -p1 -b .pc
+%patch5 -p1 -b .CVE-2012-6089
(
cd src
autoconf
@@ -324,6 +327,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/swipl-%{version}/xpce/bin/*-linux/xpce-client
%changelog
+* Fri Jan 04 2013 Petr Pisar <ppisar at redhat.com> - 6.0.2-5
+- Fix CVE-2012-6089 (buffer overflows in path canonisation code) (bug #891666)
+
* Fri Jul 27 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 6.0.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
More information about the scm-commits
mailing list