[perl/f15] Fix CVE-2011-2728
Petr Pisar
ppisar at fedoraproject.org
Fri Nov 4 15:17:30 UTC 2011
commit 1468c1d1e9e391ef252068a2fdb483531f338f32
Author: Petr Písař <ppisar at redhat.com>
Date: Fri Nov 4 14:54:27 2011 +0100
Fix CVE-2011-2728
perl-5.12.4-CVE-2011-2728.patch | 62 +++++++++++++++++++++++++++++++++++++++
perl.spec | 9 +++++-
2 files changed, 70 insertions(+), 1 deletions(-)
---
diff --git a/perl-5.12.4-CVE-2011-2728.patch b/perl-5.12.4-CVE-2011-2728.patch
new file mode 100644
index 0000000..c88ad0f
--- /dev/null
+++ b/perl-5.12.4-CVE-2011-2728.patch
@@ -0,0 +1,62 @@
+From 1af4051e077438976a4c12a0622feaf6715bec77 Mon Sep 17 00:00:00 2001
+From: "Craig A. Berry" <craigberry at mac.com>
+Date: Fri, 19 Aug 2011 10:14:13 -0500
+Subject: [PATCH] Plug segfault in bsd_glob() with unsupported ALTDIRFUNC
+ flag.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+First, disable all the unsupported flags just to make sure they aren't
+triggering something they shouldn't be. Also, zero the pglob struct
+before passing to bsd_glob(); it contains function pointers, and it's
+safest if they are null rather than containing random stack data.
+
+Bug reported by Clément Lecigne <clemun at gmail.com>.
+
+Petr Pisar: Version bump removed and rebased for Perl 5.12.4.
+---
+ ext/File-Glob/Glob.xs | 3 +++
+ ext/File-Glob/t/basic.t | 6 +++++-
+
+diff --git a/ext/File-Glob/Glob.xs b/ext/File-Glob/Glob.xs
+index 3f4928f..5a08a0d 100644
+--- a/ext/File-Glob/Glob.xs
++++ b/ext/File-Glob/Glob.xs
+@@ -49,9 +49,12 @@ PPCODE:
+ /* allow for optional flags argument */
+ if (items > 1) {
+ flags = (int) SvIV(ST(1));
++ /* remove unsupported flags */
++ flags &= ~(GLOB_APPEND | GLOB_DOOFFS | GLOB_ALTDIRFUNC | GLOB_MAGCHAR);
+ }
+
+ /* call glob */
++ bzero(&pglob, sizeof(glob_t));
+ retval = bsd_glob(pattern, flags, errfunc, &pglob);
+ GLOB_ERROR = retval;
+
+diff --git a/ext/File-Glob/t/basic.t b/ext/File-Glob/t/basic.t
+index e331380..ed83019 100644
+--- a/ext/File-Glob/t/basic.t
++++ b/ext/File-Glob/t/basic.t
+@@ -15,7 +15,7 @@ BEGIN {
+ }
+ }
+ use strict;
+-use Test::More tests => 14;
++use Test::More tests => 15;
+ BEGIN {use_ok('File::Glob', ':glob')};
+ use Cwd ();
+
+@@ -195,3 +195,7 @@ pass("Don't panic");
+ local $TODO = "home-made glob doesn't do regexes" if $^O eq 'VMS';
+ is_deeply(\@glob_files, ['a_dej']);
+ }
++
++# This used to segfault.
++my $i = bsd_glob('*', GLOB_ALTDIRFUNC);
++is(&File::Glob::GLOB_ERROR, 0, "Successfuly ignored unsupported flag");
+--
+1.7.6.4
+
diff --git a/perl.spec b/perl.spec
index caec762..736070c 100644
--- a/perl.spec
+++ b/perl.spec
@@ -90,6 +90,9 @@ Patch12: perl-5.14.1-CVE-2011-2939.patch
# rhbz #720610, Perl RT#94560, accepted as v5.15.4-24-g26e1303.
Patch13: perl-5.14.2-large-repeat-heap-abuse.patch
+# Fix CVE-2011-2728, rhbz#742987, fixed in Perl 5.14.2.
+Patch14: perl-5.12.4-CVE-2011-2728.patch
+
# Update some of the bundled modules
# see http://fedoraproject.org/wiki/Perl/perl.spec for instructions
@@ -968,6 +971,7 @@ tarball from perl.org.
%patch11 -p1
%patch12 -p1
%patch13 -p1
+%patch14 -p1
#copy the example script
cp -a %{SOURCE5} .
@@ -1185,7 +1189,8 @@ pushd %{build_archlib}/CORE/
'Fedora Patch10: Update ExtUtils::ParseXS to 2.2206' \
'Fedora Patch11: Fix code injection in Digest->new()' \
'Fedora Patch12: Fix CVE-2011-2939' \
- 'Fedora Patch13: Change Perl_repeatcpy() to allow count above 2^31' \
+ 'Fedora Patch13: Change Perl_repeatcpy() to allow count above 2^31' \
+ 'Fedora Patch14: Fix CVE-2011-2728' \
%{nil}
rm patchlevel.bak
@@ -1989,6 +1994,8 @@ rm -rf $RPM_BUILD_ROOT
- Change Perl_repeatcpy() prototype to allow repeat count above 2^31
(bug #720610)
- Do not own site directories located in /usr/local (bug #732799)
+- Fixes CVE-2011-2728 (File::Glob bsd_glob() crash with certain glob flags)
+ (bug #742987)
* Wed Oct 05 2011 Petr Pisar <ppisar at redhat.com> - 4:5.12.4-162
- Fix CVE-2011-3597 (code injection in Digest) (bug #743010)
More information about the scm-commits
mailing list