[perl/f14] Fix CVE-2011-2728
Petr Pisar
ppisar at fedoraproject.org
Fri Nov 4 16:15:24 UTC 2011
commit e921f2285844bdab9dc3413b93c40c3e27328414
Author: Petr Písař <ppisar at redhat.com>
Date: Fri Nov 4 14:54:27 2011 +0100
Fix CVE-2011-2728
perl-5.12.4-CVE-2011-2728.patch | 62 +++++++++++++++++++++++++++++++++++++++
perl.spec | 7 ++++
2 files changed, 69 insertions(+), 0 deletions(-)
---
diff --git a/perl-5.12.4-CVE-2011-2728.patch b/perl-5.12.4-CVE-2011-2728.patch
new file mode 100644
index 0000000..c88ad0f
--- /dev/null
+++ b/perl-5.12.4-CVE-2011-2728.patch
@@ -0,0 +1,62 @@
+From 1af4051e077438976a4c12a0622feaf6715bec77 Mon Sep 17 00:00:00 2001
+From: "Craig A. Berry" <craigberry at mac.com>
+Date: Fri, 19 Aug 2011 10:14:13 -0500
+Subject: [PATCH] Plug segfault in bsd_glob() with unsupported ALTDIRFUNC
+ flag.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+First, disable all the unsupported flags just to make sure they aren't
+triggering something they shouldn't be. Also, zero the pglob struct
+before passing to bsd_glob(); it contains function pointers, and it's
+safest if they are null rather than containing random stack data.
+
+Bug reported by Clément Lecigne <clemun at gmail.com>.
+
+Petr Pisar: Version bump removed and rebased for Perl 5.12.4.
+---
+ ext/File-Glob/Glob.xs | 3 +++
+ ext/File-Glob/t/basic.t | 6 +++++-
+
+diff --git a/ext/File-Glob/Glob.xs b/ext/File-Glob/Glob.xs
+index 3f4928f..5a08a0d 100644
+--- a/ext/File-Glob/Glob.xs
++++ b/ext/File-Glob/Glob.xs
+@@ -49,9 +49,12 @@ PPCODE:
+ /* allow for optional flags argument */
+ if (items > 1) {
+ flags = (int) SvIV(ST(1));
++ /* remove unsupported flags */
++ flags &= ~(GLOB_APPEND | GLOB_DOOFFS | GLOB_ALTDIRFUNC | GLOB_MAGCHAR);
+ }
+
+ /* call glob */
++ bzero(&pglob, sizeof(glob_t));
+ retval = bsd_glob(pattern, flags, errfunc, &pglob);
+ GLOB_ERROR = retval;
+
+diff --git a/ext/File-Glob/t/basic.t b/ext/File-Glob/t/basic.t
+index e331380..ed83019 100644
+--- a/ext/File-Glob/t/basic.t
++++ b/ext/File-Glob/t/basic.t
+@@ -15,7 +15,7 @@ BEGIN {
+ }
+ }
+ use strict;
+-use Test::More tests => 14;
++use Test::More tests => 15;
+ BEGIN {use_ok('File::Glob', ':glob')};
+ use Cwd ();
+
+@@ -195,3 +195,7 @@ pass("Don't panic");
+ local $TODO = "home-made glob doesn't do regexes" if $^O eq 'VMS';
+ is_deeply(\@glob_files, ['a_dej']);
+ }
++
++# This used to segfault.
++my $i = bsd_glob('*', GLOB_ALTDIRFUNC);
++is(&File::Glob::GLOB_ERROR, 0, "Successfuly ignored unsupported flag");
+--
+1.7.6.4
+
diff --git a/perl.spec b/perl.spec
index f01e3de..1c220c1 100644
--- a/perl.spec
+++ b/perl.spec
@@ -76,6 +76,9 @@ Patch12: perl-5.14.1-CVE-2011-2939.patch
# rhbz #720610, Perl RT#94560, accepted as v5.15.4-24-g26e1303.
Patch13: perl-5.14.2-large-repeat-heap-abuse.patch
+# Fix CVE-2011-2728, rhbz#742987, fixed in Perl 5.14.2.
+Patch14: perl-5.12.4-CVE-2011-2728.patch
+
# Update some of the bundled modules
# see http://fedoraproject.org/wiki/Perl/perl.spec for instructions
@@ -952,6 +955,7 @@ upstream tarball from perl.org.
%patch11 -p1
%patch12 -p1
%patch13 -p1
+%patch14 -p1
#
# Candidates for doc recoding (need case by case review):
@@ -1158,6 +1162,7 @@ pushd %{build_archlib}/CORE/
'Fedora Patch11: Fix code injection in Digest->new()' \
'Fedora Patch12: Fix CVE-2011-2939' \
'Fedora Patch13: Change Perl_repeatcpy() to allow count above 2^31' \
+ 'Fedora Patch14: Fix CVE-2011-2728' \
%{nil}
rm patchlevel.bak
@@ -1894,6 +1899,8 @@ rm -rf $RPM_BUILD_ROOT
* Fri Nov 04 2011 Petr Pisar <ppisar at redhat.com> - 4:5.12.4-148
- Change Perl_repeatcpy() prototype to allow repeat count above 2^31
(bug #720610)
+- Fixes CVE-2011-2728 (File::Glob bsd_glob() crash with certain glob flags)
+ (bug #742987)
* Wed Oct 05 2011 Petr Pisar <ppisar at redhat.com> - 4:5.12.4-147
- Fix CVE-2011-3597 (code injection in Digest) (bug #743010)
More information about the scm-commits
mailing list