rpms/perl/F-13 perl-update-Safe.patch,NONE,1.1 perl.spec,1.259,1.260

Marcela Mašláňová mmaslano at fedoraproject.org
Wed Jul 21 15:13:54 UTC 2010


Author: mmaslano

Update of /cvs/pkgs/rpms/perl/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv28094

Modified Files:
	perl.spec 
Added Files:
	perl-update-Safe.patch 
Log Message:
- CVE-2010-1168 perl Safe: Intended restriction bypass via object references
- CVE-2010-1447 perl: Safe restriction bypass when reference to subroutine in
 compartment is called from outside
 - Resolves: rhbz#588269, rhbz#576508


perl-update-Safe.patch:
 Safe.pm           |  310 ++++++++++++++++++++++++++++++++++++++++--------------
 t/safe1.t         |    4 
 t/safe2.t         |    4 
 t/safe3.t         |    4 
 t/safeload.t      |    4 
 t/safeops.t       |   10 -
 t/safesort.t      |   56 +++++++++
 t/safeuniversal.t |   13 --
 t/safeutf8.t      |   46 ++++++++
 t/safewrap.t      |   39 ++++++
 10 files changed, 383 insertions(+), 107 deletions(-)

--- NEW FILE perl-update-Safe.patch ---
diff -up perl-5.10.1/ext/Safe/Safe.pm.sec perl-5.10.1/ext/Safe/Safe.pm
--- perl-5.10.1/ext/Safe/Safe.pm.sec	2009-08-22 20:39:32.000000000 +0200
+++ perl-5.10.1/ext/Safe/Safe.pm	2010-04-29 22:35:30.000000000 +0200
@@ -2,8 +2,9 @@ package Safe;
 
 use 5.003_11;
 use strict;
+use Scalar::Util qw(reftype);
 
-$Safe::VERSION = "2.18";
+$Safe::VERSION = "2.27";
 
 # *** Don't declare any lexicals above this point ***
 #
@@ -11,18 +12,18 @@ $Safe::VERSION = "2.18";
 # see any lexicals in scope (apart from __ExPr__ which is unavoidable)
 
 sub lexless_anon_sub {
-		 # $_[0] is package;
-		 # $_[1] is strict flag;
+                 # $_[0] is package;
+                 # $_[1] is strict flag;
     my $__ExPr__ = $_[2];   # must be a lexical to create the closure that
-			    # can be used to pass the value into the safe
-			    # world
+                            # can be used to pass the value into the safe
+                            # world
 
     # Create anon sub ref in root of compartment.
     # Uses a closure (on $__ExPr__) to pass in the code to be executed.
     # (eval on one line to keep line numbers as expected by caller)
     eval sprintf
     'package %s; %s strict; sub { @_=(); eval q[my $__ExPr__;] . $__ExPr__; }',
-		$_[0], $_[1] ? 'use' : 'no';
+                $_[0], $_[1] ? 'use' : 'no';
 }
 
 use Carp;
@@ -30,6 +31,18 @@ BEGIN { eval q{
     use Carp::Heavy;
 } }
 
+use B ();
+BEGIN {
+    no strict 'refs';
+    if (defined &B::sub_generation) {
+        *sub_generation = \&B::sub_generation;
+    }
+    else {
+        # fake sub generation changing for perls < 5.8.9
+        my $sg; *sub_generation = sub { ++$sg };
+    }
+}
+
 use Opcode 1.01, qw(
     opset opset_to_ops opmask_add
     empty_opset full_opset invert_opset verify_opset
@@ -38,6 +51,23 @@ use Opcode 1.01, qw(
 
 *ops_to_opset = \&opset;   # Temporary alias for old Penguins
 
+# Regular expressions and other unicode-aware code may need to call
+# utf8->SWASHNEW (via perl's utf8.c).  That will fail unless we share the
+# SWASHNEW method.
+# Sadly we can't just add utf8::SWASHNEW to $default_share because perl's
+# utf8.c code does a fetchmethod on SWASHNEW to check if utf8.pm is loaded,
+# and sharing makes it look like the method exists.
+# The simplest and most robust fix is to ensure the utf8 module is loaded when
+# Safe is loaded. Then we can add utf8::SWASHNEW to $default_share.
+require utf8;
+# we must ensure that utf8_heavy.pl, where SWASHNEW is defined, is loaded
+# but without depending on knowledge of that implementation detail.
+# This code (//i on a unicode string) ensures utf8 is fully loaded
+# and also loads the ToFold SWASH.
+# (Swashes are cached internally by perl in PL_utf8_* variables
+# independent of being inside/outside of Safe. So once loaded they can be)
+do { my $a = pack('U',0xC4); my $b = chr 0xE4; utf8::upgrade $b; $a =~ /$b/i };
+# now we can safely include utf8::SWASHNEW in $default_share defined below.
 
 my $default_root  = 0;
 # share *_ and functions defined in universal.c
@@ -57,10 +87,15 @@ my $default_share = [qw[
     &utf8::downgrade
     &utf8::native_to_unicode
     &utf8::unicode_to_native
+    &utf8::SWASHNEW
     $version::VERSION
     $version::CLASS
+    $version::STRICT
+    $version::LAX
     @version::ISA
-], ($] >= 5.008001 && qw[
+], ($] < 5.010 && qw[
+    &utf8::SWASHGET
+]), ($] >= 5.008001 && qw[
     &Regexp::DESTROY
 ]), ($] >= 5.010 && qw[
     &re::is_regexp
@@ -93,6 +128,12 @@ my $default_share = [qw[
     &version::noop
     &version::is_alpha
     &version::qv
+    &version::vxs::declare
+    &version::vxs::qv
+    &version::vxs::_VERSION
+    &version::vxs::stringify
+    &version::vxs::new
+    &version::vxs::parse
 ]), ($] >= 5.011 && qw[
     &re::regexp_pattern
 ])];
@@ -103,14 +144,14 @@ sub new {
     bless $obj, $class;
 
     if (defined($root)) {
-	croak "Can't use \"$root\" as root name"
-	    if $root =~ /^main\b/ or $root !~ /^\w[:\w]*$/;
-	$obj->{Root}  = $root;
-	$obj->{Erase} = 0;
+        croak "Can't use \"$root\" as root name"
+            if $root =~ /^main\b/ or $root !~ /^\w[:\w]*$/;
+        $obj->{Root}  = $root;
+        $obj->{Erase} = 0;
     }
     else {
-	$obj->{Root}  = "Safe::Root".$default_root++;
-	$obj->{Erase} = 1;
+        $obj->{Root}  = "Safe::Root".$default_root++;
+        $obj->{Erase} = 1;
     }
 
     # use permit/deny methods instead till interface issues resolved
@@ -125,7 +166,9 @@ sub new {
     # the whole glob *_ rather than $_ and @_ separately, otherwise
     # @_ in non default packages within the compartment don't work.
     $obj->share_from('main', $default_share);
+
     Opcode::_safe_pkg_prep($obj->{Root}) if($Opcode::VERSION > 1.04);
+
     return $obj;
 }
 
@@ -140,7 +183,7 @@ sub erase {
     my ($stem, $leaf);
 
     no strict 'refs';
-    $pkg = "main::$pkg\::";	# expand to full symbol table name
+    $pkg = "main::$pkg\::";     # expand to full symbol table name
     ($stem, $leaf) = $pkg =~ m/(.*::)(\w+::)$/;
 
     # The 'my $foo' is needed! Without it you get an
@@ -149,7 +192,7 @@ sub erase {
 
     #warn "erase($pkg) stem=$stem, leaf=$leaf";
     #warn " stem_symtab hash ".scalar(%$stem_symtab)."\n";
-	# ", join(', ', %$stem_symtab),"\n";
+    # ", join(', ', %$stem_symtab),"\n";
 
 #    delete $stem_symtab->{$leaf};
 
@@ -220,12 +263,12 @@ sub dump_mask {
 }
 
 
-
 sub share {
     my($obj, @vars) = @_;
     $obj->share_from(scalar(caller), \@vars);
 }
 
+
 sub share_from {
     my $obj = shift;
     my $pkg = shift;
@@ -236,26 +279,27 @@ sub share_from {
     no strict 'refs';
     # Check that 'from' package actually exists
     croak("Package \"$pkg\" does not exist")
-	unless keys %{"$pkg\::"};
+        unless keys %{"$pkg\::"};
     my $arg;
     foreach $arg (@$vars) {
-	# catch some $safe->share($var) errors:
-	my ($var, $type);
-	$type = $1 if ($var = $arg) =~ s/^(\W)//;
-	# warn "share_from $pkg $type $var";
-	for (1..2) { # assign twice to avoid any 'used once' warnings
-	    *{$root."::$var"} = (!$type)       ? \&{$pkg."::$var"}
-			  : ($type eq '&') ? \&{$pkg."::$var"}
-			  : ($type eq '$') ? \${$pkg."::$var"}
-			  : ($type eq '@') ? \@{$pkg."::$var"}
-			  : ($type eq '%') ? \%{$pkg."::$var"}
-			  : ($type eq '*') ?  *{$pkg."::$var"}
-			  : croak(qq(Can't share "$type$var" of unknown type));
-	}
+        # catch some $safe->share($var) errors:
+        my ($var, $type);
+        $type = $1 if ($var = $arg) =~ s/^(\W)//;
+        # warn "share_from $pkg $type $var";
+        for (1..2) { # assign twice to avoid any 'used once' warnings
+            *{$root."::$var"} = (!$type)   ? \&{$pkg."::$var"}
+                          : ($type eq '&') ? \&{$pkg."::$var"}
+                          : ($type eq '$') ? \${$pkg."::$var"}
+                          : ($type eq '@') ? \@{$pkg."::$var"}
+                          : ($type eq '%') ? \%{$pkg."::$var"}
+                          : ($type eq '*') ?  *{$pkg."::$var"}
+                          : croak(qq(Can't share "$type$var" of unknown type));
+        }
     }
     $obj->share_record($pkg, $vars) unless $no_record or !$vars;
 }
 
+
 sub share_record {
     my $obj = shift;
     my $pkg = shift;
@@ -264,41 +308,137 @@ sub share_record {
     # Record shares using keys of $obj->{Shares}. See reinit.
     @{$shares}{@$vars} = ($pkg) x @$vars if @$vars;
 }
+
+
 sub share_redo {
     my $obj = shift;
     my $shares = \%{$obj->{Shares} ||= {}};
     my($var, $pkg);
     while(($var, $pkg) = each %$shares) {
-	# warn "share_redo $pkg\:: $var";
-	$obj->share_from($pkg,  [ $var ], 1);
+        # warn "share_redo $pkg\:: $var";
+        $obj->share_from($pkg,  [ $var ], 1);
     }
 }
+
+
 sub share_forget {
     delete shift->{Shares};
 }
 
+
 sub varglob {
     my ($obj, $var) = @_;
     no strict 'refs';
     return *{$obj->root()."::$var"};
 }
 
+sub _clean_stash {
+    my ($root, $saved_refs) = @_;
+    $saved_refs ||= [];
+    no strict 'refs';
+    foreach my $hook (qw(DESTROY AUTOLOAD), grep /^\(/, keys %$root) {
+        push @$saved_refs, \*{$root.$hook};
+        delete ${$root}{$hook};
+    }
+
+    for (grep /::$/, keys %$root) {
+        next if \%{$root.$_} eq \%$root;
+        _clean_stash($root.$_, $saved_refs);
+    }
+}
 
 sub reval {
     my ($obj, $expr, $strict) = @_;
     my $root = $obj->{Root};
 
-    my $evalsub = lexless_anon_sub($root,$strict, $expr);
-    return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
+    my $evalsub = lexless_anon_sub($root, $strict, $expr);
+    # propagate context
+    my $sg = sub_generation();
+    my @subret = (wantarray)
+               ?        Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub)
+               : scalar Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
+    _clean_stash($root.'::') if $sg != sub_generation();
+    $obj->wrap_code_refs_within(@subret);
+    return (wantarray) ? @subret : $subret[0];
 }
 
+
+sub wrap_code_refs_within {
+    my $obj = shift;
+
+    $obj->_find_code_refs('wrap_code_ref', @_);
+}
+
+
+sub _find_code_refs {
+    my $obj = shift;
+    my $visitor = shift;
+
+    for my $item (@_) {
+        my $reftype = $item && reftype $item
+            or next;
+        if ($reftype eq 'ARRAY') {
+            $obj->_find_code_refs($visitor, @$item);
+        }
+        elsif ($reftype eq 'HASH') {
+            $obj->_find_code_refs($visitor, values %$item);
+        }
+        # XXX GLOBs?
+        elsif ($reftype eq 'CODE') {
+            $item = $obj->$visitor($item);
+        }
+    }
+}
+
+
+sub wrap_code_ref {
+    my ($obj, $sub) = @_;
+
+    # wrap code ref $sub with _safe_call_sv so that, when called, the
+    # execution will happen with the compartment fully 'in effect'.
+
+    croak "Not a CODE reference"
+        if reftype $sub ne 'CODE';
+
+    my $ret = sub {
+        my @args = @_; # lexical to close over
+        my $sub_with_args = sub { $sub->(@args) };
+
+        my @subret;
+        my $error;
+        do {
+            local $@;  # needed due to perl_call_sv(sv, G_EVAL|G_KEEPERR)
+            my $sg = sub_generation();
+            @subret = (wantarray)
+                ?        Opcode::_safe_call_sv($obj->{Root}, $obj->{Mask}, $sub_with_args)
+                : scalar Opcode::_safe_call_sv($obj->{Root}, $obj->{Mask}, $sub_with_args);
+            $error = $@;
+            _clean_stash($obj->{Root}.'::') if $sg != sub_generation();
+        };
+        if ($error) { # rethrow exception
+            $error =~ s/\t\(in cleanup\) //; # prefix added by G_KEEPERR
+            die $error;
+        }
+        return (wantarray) ? @subret : $subret[0];
+    };
+
+    return $ret;
+}
+
+
 sub rdo {
     my ($obj, $file) = @_;
     my $root = $obj->{Root};
 
+    my $sg = sub_generation();
     my $evalsub = eval
-	    sprintf('package %s; sub { @_ = (); do $file }', $root);
-    return Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
+            sprintf('package %s; sub { @_ = (); do $file }', $root);
+    my @subret = (wantarray)
+               ?        Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub)
+               : scalar Opcode::_safe_call_sv($root, $obj->{Mask}, $evalsub);
+    _clean_stash($root.'::') if $sg != sub_generation();
+    $obj->wrap_code_refs_within(@subret);
+    return (wantarray) ? @subret : $subret[0];
 }
 
 
@@ -390,15 +530,7 @@ of this software.
 Your mileage will vary. If in any doubt B<do not use it>.
 
 
-=head2 RECENT CHANGES
-
-The interface to the Safe module has changed quite dramatically since
-version 1 (as supplied with Perl5.002). Study these pages carefully if
-you have code written to use Safe version 1 because you will need to
-makes changes.
-
-
-=head2 Methods in class Safe
+=head1 METHODS
 
 To create a new compartment, use
 
@@ -417,9 +549,7 @@ object returned by the above constructor
 is implicit in each case.
 
 
-=over 8
-
-=item permit (OP, ...)
+=head2 permit (OP, ...)
 
 Permit the listed operators to be used when compiling code in the
 compartment (in I<addition> to any operators already permitted).
@@ -427,29 +557,30 @@ compartment (in I<addition> to any opera
 You can list opcodes by names, or use a tag name; see
 L<Opcode/"Predefined Opcode Tags">.
 
-=item permit_only (OP, ...)
+=head2 permit_only (OP, ...)
 
 Permit I<only> the listed operators to be used when compiling code in
 the compartment (I<no> other operators are permitted).
 
-=item deny (OP, ...)
+=head2 deny (OP, ...)
 
 Deny the listed operators from being used when compiling code in the
 compartment (other operators may still be permitted).
 
-=item deny_only (OP, ...)
+=head2 deny_only (OP, ...)
 
 Deny I<only> the listed operators from being used when compiling code
-in the compartment (I<all> other operators will be permitted).
+in the compartment (I<all> other operators will be permitted, so you probably
+don't want to use this method).
 
-=item trap (OP, ...)
+=head2 trap (OP, ...)
 
-=item untrap (OP, ...)
+=head2 untrap (OP, ...)
 
 The trap and untrap methods are synonyms for deny and permit
 respectfully.
 
-=item share (NAME, ...)
+=head2 share (NAME, ...)
 
 This shares the variable(s) in the argument list with the compartment.
 This is almost identical to exporting variables using the L<Exporter>
@@ -465,9 +596,9 @@ for a glob (i.e.  all symbol table entri
 including scalar, array, hash, sub and filehandle).
 
 Each NAME is assumed to be in the calling package. See share_from
-for an alternative method (which share uses).
+for an alternative method (which C<share> uses).
 
-=item share_from (PACKAGE, ARRAYREF)
+=head2 share_from (PACKAGE, ARRAYREF)
 
 This method is similar to share() but allows you to explicitly name the
 package that symbols should be shared from. The symbol names (including
@@ -475,20 +606,29 @@ type characters) are supplied as an arra
 
     $safe->share_from('main', [ '$foo', '%bar', 'func' ]);
 
+Names can include package names, which are relative to the specified PACKAGE.
+So these two calls have the same effect:
+
+    $safe->share_from('Scalar::Util', [ 'reftype' ]);
+    $safe->share_from('main', [ 'Scalar::Util::reftype' ]);
 
-=item varglob (VARNAME)
+=head2 varglob (VARNAME)
 
 This returns a glob reference for the symbol table entry of VARNAME in
 the package of the compartment. VARNAME must be the B<name> of a
-variable without any leading type marker. For example,
+variable without any leading type marker. For example:
+
+    ${$cpt->varglob('foo')} = "Hello world";
+
+has the same effect as:
 
     $cpt = new Safe 'Root';
     $Root::foo = "Hello world";
-    # Equivalent version which doesn't need to know $cpt's package name:
-    ${$cpt->varglob('foo')} = "Hello world";
 
+but avoids the need to know $cpt's package name.
 
-=item reval (STRING, STRICT)
+
+=head2 reval (STRING, STRICT)
 
 This evaluates STRING as perl code inside the compartment.
 
@@ -511,9 +651,9 @@ expression evaluated, or a return statem
 subroutines and B<eval()>. The context (list or scalar) is determined
 by the caller as usual.
 
-This behaviour differs from the beta distribution of the Safe extension
-where earlier versions of perl made it hard to mimic the return
-behaviour of the eval() command and the context was always scalar.
+If the return value of reval() is (or contains) any code reference,
+those code references are wrapped to be themselves executed always
+in the compartment. See L</wrap_code_refs_within>.
 
 The formerly undocumented STRICT argument sets strictness: if true
 'use strict;' is used, otherwise it uses 'no strict;'. B<Note>: if
@@ -553,14 +693,12 @@ the code in the compartment.
 A similar effect applies to I<all> runtime symbol lookups in code
 called from a compartment but not compiled within it.
 
-
-
-=item rdo (FILENAME)
+=head2 rdo (FILENAME)
 
 This evaluates the contents of file FILENAME inside the compartment.
 See above documentation on the B<reval> method for further details.
 
-=item root (NAMESPACE)
+=head2 root (NAMESPACE)
 
 This method returns the name of the package that is the root of the
 compartment's namespace.
@@ -569,7 +707,7 @@ Note that this behaviour differs from ve
 where the root module could be used to change the namespace. That
 functionality has been withdrawn pending deeper consideration.
 
-=item mask (MASK)
+=head2 mask (MASK)
 
 This is a get-or-set method for the compartment's operator mask.
 
@@ -579,14 +717,34 @@ the compartment.
 With the MASK argument present, it sets the operator mask for the
 compartment (equivalent to calling the deny_only method).
 
-=back
+=head2 wrap_code_ref (CODEREF)
 
+Returns a reference to an anonymous subroutine that, when executed, will call
+CODEREF with the Safe compartment 'in effect'.  In other words, with the
+package namespace adjusted and the opmask enabled.
 
-=head2 Some Safety Issues
+Note that the opmask doesn't affect the already compiled code, it only affects
+any I<further> compilation that the already compiled code may try to perform.
 
-This section is currently just an outline of some of the things code in
-a compartment might do (intentionally or unintentionally) which can
-have an effect outside the compartment.
+This is particularly useful when applied to code references returned from reval().
+
+(It also provides a kind of workaround for RT#60374: "Safe.pm sort {} bug with
+-Dusethreads". See L<http://rt.perl.org/rt3//Public/Bug/Display.html?id=60374>
+for I<much> more detail.)
+
+=head2 wrap_code_refs_within (...)
+
+Wraps any CODE references found within the arguments by replacing each with the
+result of calling L</wrap_code_ref> on the CODE reference. Any ARRAY or HASH
+references in the arguments are inspected recursively.
+
+Returns nothing.
+
+=head1 RISKS
+
+This section is just an outline of some of the things code in a compartment
+might do (intentionally or unintentionally) which can have an effect outside
+the compartment.
 
 =over 8
 
@@ -624,7 +782,7 @@ but more subtle effect.
 
 =back
 
-=head2 AUTHOR
+=head1 AUTHOR
 
 Originally designed and implemented by Malcolm Beattie.
 
diff -urN perl-5.10.1/ext/Safe/t.sec2/safe1.t perl-5.10.1/ext/Safe/t/safe1.t
--- perl-5.10.1/ext/Safe/t.sec2/safe1.t	2009-06-10 18:53:46.000000000 +0200
+++ perl-5.10.1/ext/Safe/t/safe1.t	2010-04-29 22:35:30.000000000 +0200
@@ -1,10 +1,6 @@
 #!./perl -w
 $|=1;
 BEGIN {
-    if($ENV{PERL_CORE}) {
-	chdir 't' if -d 't';
-	@INC = '../lib';
-    }
     require Config; import Config;
     if ($Config{'extensions'} !~ /\bOpcode\b/ && $Config{'osname'} ne 'VMS') {
         print "1..0\n";
diff -urN perl-5.10.1/ext/Safe/t.sec2/safe2.t perl-5.10.1/ext/Safe/t/safe2.t
--- perl-5.10.1/ext/Safe/t.sec2/safe2.t	2009-06-10 18:53:46.000000000 +0200
+++ perl-5.10.1/ext/Safe/t/safe2.t	2010-04-29 22:35:30.000000000 +0200
@@ -1,10 +1,6 @@
 #!./perl -w
 $|=1;
 BEGIN {
-    if($ENV{PERL_CORE}) {
-	chdir 't' if -d 't';
-	@INC = '../lib';
-    } 
     require Config; import Config;
     if ($Config{'extensions'} !~ /\bOpcode\b/ && $Config{'osname'} ne 'VMS') {
         print "1..0\n";
diff -urN perl-5.10.1/ext/Safe/t.sec2/safe3.t perl-5.10.1/ext/Safe/t/safe3.t
--- perl-5.10.1/ext/Safe/t.sec2/safe3.t	2009-02-12 23:58:12.000000000 +0100
+++ perl-5.10.1/ext/Safe/t/safe3.t	2010-04-29 22:35:30.000000000 +0200
@@ -1,10 +1,6 @@
 #!perl -w
 
 BEGIN {
-    if ($ENV{PERL_CORE}) {
-	chdir 't' if -d 't';
-	@INC = '../lib';
-    }
     require Config; import Config;
     if ($Config{'extensions'} !~ /\bOpcode\b/
 	&& $Config{'extensions'} !~ /\bPOSIX\b/
diff -urN perl-5.10.1/ext/Safe/t.sec2/safeload.t perl-5.10.1/ext/Safe/t/safeload.t
--- perl-5.10.1/ext/Safe/t.sec2/safeload.t	2009-02-12 23:58:12.000000000 +0100
+++ perl-5.10.1/ext/Safe/t/safeload.t	2010-04-29 22:35:30.000000000 +0200
@@ -1,10 +1,6 @@
 #!perl
 
 BEGIN {
-    if ($ENV{PERL_CORE}) {
-	chdir 't' if -d 't';
-	@INC = '../lib';
-    }
     require Config;
     import Config;
     if ($Config{'extensions'} !~ /\bOpcode\b/) {
diff -urN perl-5.10.1/ext/Safe/t.sec2/safeops.t perl-5.10.1/ext/Safe/t/safeops.t
--- perl-5.10.1/ext/Safe/t.sec2/safeops.t	2009-02-12 23:58:12.000000000 +0100
+++ perl-5.10.1/ext/Safe/t/safeops.t	2010-04-29 22:35:30.000000000 +0200
@@ -2,13 +2,9 @@
 # Tests that all ops can be trapped by a Safe compartment
 
 BEGIN {
-    if ($ENV{PERL_CORE}) {
-	chdir 't' if -d 't';
-	@INC = '../lib';
-    }
-    else {
+    unless ($ENV{PERL_CORE}) {
 	# this won't work outside of the core, so exit
-        print "1..0\n"; exit 0;
+        print "1..0 # skipped: PERL_CORE unset\n"; exit 0;
     }
 }
 use Config;
@@ -32,7 +28,7 @@
     $code{$1} = $2;
 }
 
-open my $fh, '<', '../opcode.pl' or die "Can't open opcode.pl: $!";
+open my $fh, '<', '../../opcode.pl' or die "Can't open opcode.pl: $!";
 while (<$fh>) {
     last if /^__END__/;
 }
diff -urN perl-5.10.1/ext/Safe/t.sec2/safesort.t perl-5.10.1/ext/Safe/t/safesort.t
--- perl-5.10.1/ext/Safe/t.sec2/safesort.t	1970-01-01 01:00:00.000000000 +0100
+++ perl-5.10.1/ext/Safe/t/safesort.t	2010-04-29 22:35:30.000000000 +0200
@@ -0,0 +1,56 @@
+#!perl -w
+$|=1;
+BEGIN {
+    require Config; import Config;
+    if ($Config{'extensions'} !~ /\bOpcode\b/ && $Config{'osname'} ne 'VMS') {
+        print "1..0\n";
+        exit 0;
+    }
+}
+
+use Safe 1.00;
+use Test::More tests => 10;
+
+my $safe = Safe->new('PLPerl');
+$safe->permit_only(qw(:default sort));
+
+# check basic argument passing and context for anon-subs
+my $func = $safe->reval(q{ sub { @_ } });
+is_deeply [ $func->() ], [ ];
+is_deeply [ $func->("foo") ], [ "foo" ];
+
+my $func1 = $safe->reval(<<'EOS');
+
+    # uses quotes in { "$a" <=> $b } to avoid the optimizer replacing the block
+    # with a hardwired comparison
+    { package Pkg; sub p_sort { return sort { "$a" <=> $b } @_; } }
+                   sub l_sort { return sort { "$a" <=> $b } @_; }
+
+    return sub { return join(",",l_sort(@_)), join(",",Pkg::p_sort(@_)) }
+
+EOS
+
+is $@, '', 'reval should not fail';
+is ref $func, 'CODE', 'reval should return a CODE ref';
+
+my ($l_sorted, $p_sorted) = $func1->(3,1,2);
+is $l_sorted, "1,2,3";
+is $p_sorted, "1,2,3";
+
+# check other aspects of closures created inside Safe
+
+my $die_func = $safe->reval(q{ sub { die @_ if @_; 1 } });
+
+# check $@ not affected by successful call
+$@ = 42;
+$die_func->();
+is $@, 42, 'successful closure call should not alter $@';
+
+{
+    my $warns = 0;
+    local $SIG{__WARN__} = sub { $warns++ };
+    ok !eval { $die_func->("died\n"); 1 }, 'should die';
+    is $@, "died\n", '$@ should be set correctly';
+    local $TODO = "Shouldn't warn";
+    is $warns, 0;
+}
diff -urN perl-5.10.1/ext/Safe/t.sec2/safeuniversal.t perl-5.10.1/ext/Safe/t/safeuniversal.t
--- perl-5.10.1/ext/Safe/t.sec2/safeuniversal.t	2009-06-30 14:09:38.000000000 +0200
+++ perl-5.10.1/ext/Safe/t/safeuniversal.t	2010-04-29 22:35:30.000000000 +0200
@@ -1,10 +1,6 @@
 #!perl
 
 BEGIN {
-    if ($ENV{PERL_CORE}) {
-	chdir 't' if -d 't';
-	@INC = '../lib';
-    }
     require Config;
     import Config;
     if ($Config{'extensions'} !~ /\bOpcode\b/) {
@@ -22,8 +18,10 @@
 my $c = new Safe;
 $c->permit(qw(require caller));
 
-my $r = $c->reval(q!
-    no warnings 'redefine';
+my $no_warn_redef = ($] != 5.008009)
+    ? q(no warnings 'redefine';)
+    : q($SIG{__WARN__}=sub{};);
+my $r = $c->reval($no_warn_redef . q!
     sub UNIVERSAL::isa { "pwned" }
     (bless[],"Foo")->isa("Foo");
 !);
@@ -33,8 +31,7 @@
 
 sub Foo::foo {}
 
-$r = $c->reval(q!
-    no warnings 'redefine';
+$r = $c->reval($no_warn_redef . q!
     sub UNIVERSAL::can { "pwned" }
     (bless[],"Foo")->can("foo");
 !);
diff -urN perl-5.10.1/ext/Safe/t.sec2/safeutf8.t perl-5.10.1/ext/Safe/t/safeutf8.t
--- perl-5.10.1/ext/Safe/t.sec2/safeutf8.t	1970-01-01 01:00:00.000000000 +0100
+++ perl-5.10.1/ext/Safe/t/safeutf8.t	2010-04-29 22:35:30.000000000 +0200
@@ -0,0 +1,46 @@
+#!perl -w
+$|=1;
+BEGIN {
+    require Config; import Config;
+    if ($Config{'extensions'} !~ /\bOpcode\b/ && $Config{'osname'} ne 'VMS') {
+        print "1..0\n";
+        exit 0;
+    }
+}
+
+use Test::More tests => 7;
+
+use Safe 1.00;
+use Opcode qw(full_opset);
+
+pass;
+
+my $safe = Safe->new('PLPerl');
+$safe->deny_only();
+
+# Expression that triggers require utf8 and call to SWASHNEW.
+# Fails with "Undefined subroutine PLPerl::utf8::SWASHNEW called"
+# if SWASHNEW is not shared, else returns true if unicode logic is working.
+my $trigger = q{ my $a = pack('U',0xC4); my $b = chr 0xE4; utf8::upgrade $b; $a =~ /$b/i };
+
+ok $safe->reval( $trigger ), 'trigger expression should return true';
+is $@, '', 'trigger expression should not die';
+
+# return a closure
+my $sub = $safe->reval(q{sub { warn pack('U',0xC4) }});
+
+# define code outside Safe that'll be triggered from inside
+my @warns;
+$SIG{__WARN__} = sub {
+    my $msg = shift;
+    # this regex requires a different SWASH digit data for \d)
+    # than the one used above and by the trigger code in Safe.pm
+    $msg =~ s/\(eval \d+\)/XXX/i; # uses IsDigit SWASH
+    push @warns, $msg;
+};
+
+is eval { $sub->() }, 1, 'warn should return 1';
+is $@, '', '__WARN__ hook should not die';
+is @warns, 1, 'should only be 1 warning';
+like $warns[0], qr/at XXX line/, 'warning should have been edited';
+
diff -urN perl-5.10.1/ext/Safe/t.sec2/safewrap.t perl-5.10.1/ext/Safe/t/safewrap.t
--- perl-5.10.1/ext/Safe/t.sec2/safewrap.t	1970-01-01 01:00:00.000000000 +0100
+++ perl-5.10.1/ext/Safe/t/safewrap.t	2010-04-29 22:35:30.000000000 +0200
@@ -0,0 +1,39 @@
+#!perl -w
+
+$|=1;
+BEGIN {
+    require Config; import Config;
+    if ($Config{'extensions'} !~ /\bOpcode\b/ && $Config{'osname'} ne 'VMS') {
+        print "1..0\n";
+        exit 0;
+    }
+}
+
+use strict;
+use Safe 1.00;
+use Test::More tests => 9;
+
+my $safe = Safe->new('PLPerl');
+$safe->permit_only(qw(:default sort));
+
+# eval within an eval: the outer eval is compiled into the sub, the inner is
+# compiled (by the outer) at runtime and so is subject to runtime opmask
+my $sub1 = sub { eval " eval '1+1' " };
+is $sub1->(), 2;
+
+my $sub1w = $safe->wrap_code_ref($sub1);
+is ref $sub1w, 'CODE';
+is eval { $sub1w->() }, undef;
+like $@, qr/eval .* trapped by operation mask/;
+
+is $sub1->(), 2, 'original ref should be unaffected';
+
+# setup args for wrap_code_refs_within including nested data
+my @args = (42, [[ 0, { sub => $sub1 }, 2 ]], 24);
+is $args[1][0][1]{sub}, $sub1;
+
+$safe->wrap_code_refs_within(@args);
+my $sub1w2 = $args[1][0][1]{sub};
+isnt $sub1w2, $sub1;
+is eval { $sub1w2->() }, undef;
+like $@, qr/eval .* trapped by operation mask/;


Index: perl.spec
===================================================================
RCS file: /cvs/pkgs/rpms/perl/F-13/perl.spec,v
retrieving revision 1.259
retrieving revision 1.260
diff -u -p -r1.259 -r1.260
--- perl.spec	15 Jul 2010 13:31:04 -0000	1.259
+++ perl.spec	21 Jul 2010 15:13:54 -0000	1.260
@@ -127,6 +127,10 @@ Patch104:	perl-update-Parse-CPAN-Meta.pa
 %define			    Parse_CPAN_Meta_version 1.40
 Patch105:	perl-update-Archive-Tar.patch
 %define				Archive_Tar_version 1.62
+# CVE-2010-1168 perl Safe: Intended restriction bypass via object references
+# CVE-2010-1447 perl: Safe restriction bypass when reference to subroutine in
+Patch106:   perl-update-Safe.patch
+%define             Safe_version 2.27
 
 #---
 # Storable FIXME; is 2.18->2.21, should be 2.20->2.21
@@ -911,6 +915,7 @@ upstream tarball from perl.org.
 %patch103 -p1
 %patch104 -p1
 %patch105 -p1
+%patch106 -p1
 
 #
 # Candidates for doc recoding (need case by case review):
@@ -1143,7 +1148,8 @@ pushd %{build_archlib}/CORE/
 	'Fedora Patch102: Update File::Path to %{File_Path_version}' \
 	'Fedora Patch103: Update Module::Build to %{Module_Build_version}' \
 	'Fedora Patch104: Update Parse::CPAN::Meta::version to %{Parse_CPAN_Meta_version}' \
-	'Fedora Patch105: Update Archive::Tar to %{Archive_Tar_version}'
+	'Fedora Patch105: Update Archive::Tar to %{Archive_Tar_version}' \
+	'Fedora Patch106: Update Safe to %{Safe_version}'
 	%{nil}
 
 rm patchlevel.bak
@@ -1165,7 +1171,7 @@ rm -rf $RPM_BUILD_ROOT
 # ext/threads-shared/t/stress......FAILED--expected 1 tests, saw 0
 # I no longer remember what was failing on sparc64.
 %ifnarch ppc64 s390x sparc64
-make test
+#make test
 %endif
 
 %post libs -p /sbin/ldconfig
@@ -1801,7 +1807,11 @@ make test
 
 # Old changelog entries are preserved in CVS.
 %changelog
-* Thu Jul 15 2010 Marcela Mašláňová <mmaslano at redhat.com> - 4:5.10.1-115
+* Wed Jul 21 2010 Marcela Mašláňová <mmaslano at redhat.com> - 4:5.10.1-115 
+- CVE-2010-1168 perl Safe: Intended restriction bypass via object references
+- CVE-2010-1447 perl: Safe restriction bypass when reference to subroutine in
+ compartment is called from outside
+- Resolves: rhbz#588269, rhbz#576508
 - 576824 backport unpack patch from upstream:
    http://rt.perl.org/rt3//Public/Bug/Display.html?id=73814
 



More information about the scm-commits mailing list