[perl/f14] Fix CVE-2011-2728

Fri Nov 4 16:15:24 UTC 2011

commit e921f2285844bdab9dc3413b93c40c3e27328414
Author: Petr Písař <ppisar at redhat.com>
Date:   Fri Nov 4 14:54:27 2011 +0100

    Fix CVE-2011-2728

 perl-5.12.4-CVE-2011-2728.patch |   62 +++++++++++++++++++++++++++++++++++++++
 perl.spec                       |    7 ++++
 2 files changed, 69 insertions(+), 0 deletions(-)
---

diff --git a/perl-5.12.4-CVE-2011-2728.patch b/perl-5.12.4-CVE-2011-2728.patch
new file mode 100644
index 0000000..c88ad0f
--- /dev/null
+++ b/perl-5.12.4-CVE-2011-2728.patch
@@ -0,0 +1,62 @@
+From 1af4051e077438976a4c12a0622feaf6715bec77 Mon Sep 17 00:00:00 2001
+From: "Craig A. Berry" <craigberry at mac.com>
+Date: Fri, 19 Aug 2011 10:14:13 -0500
+Subject: [PATCH] Plug segfault in bsd_glob() with unsupported ALTDIRFUNC
+ flag.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+First, disable all the unsupported flags just to make sure they aren't
+triggering something they shouldn't be.  Also, zero the pglob struct
+before passing to bsd_glob(); it contains function pointers, and it's
+safest if they are null rather than containing random stack data.
+
+Bug reported by Clément Lecigne <clemun at gmail.com>.
+
+Petr Pisar: Version bump removed and rebased for Perl 5.12.4.
+---
+ ext/File-Glob/Glob.xs   |    3 +++
+ ext/File-Glob/t/basic.t |    6 +++++-
+
+diff --git a/ext/File-Glob/Glob.xs b/ext/File-Glob/Glob.xs
+index 3f4928f..5a08a0d 100644
+--- a/ext/File-Glob/Glob.xs
++++ b/ext/File-Glob/Glob.xs
+@@ -49,9 +49,12 @@ PPCODE:
+ 	/* allow for optional flags argument */
+ 	if (items > 1) {
+ 	    flags = (int) SvIV(ST(1));
++	    /* remove unsupported flags */
++	    flags &= ~(GLOB_APPEND | GLOB_DOOFFS | GLOB_ALTDIRFUNC | GLOB_MAGCHAR);
+ 	}
+ 
+ 	/* call glob */
++	bzero(&pglob, sizeof(glob_t));
+ 	retval = bsd_glob(pattern, flags, errfunc, &pglob);
+ 	GLOB_ERROR = retval;
+ 
+diff --git a/ext/File-Glob/t/basic.t b/ext/File-Glob/t/basic.t
+index e331380..ed83019 100644
+--- a/ext/File-Glob/t/basic.t
++++ b/ext/File-Glob/t/basic.t
+@@ -15,7 +15,7 @@ BEGIN {
+     }
+ }
+ use strict;
+-use Test::More tests => 14;
++use Test::More tests => 15;
+ BEGIN {use_ok('File::Glob', ':glob')};
+ use Cwd ();
+ 
+@@ -195,3 +195,7 @@ pass("Don't panic");
+     local $TODO = "home-made glob doesn't do regexes" if $^O eq 'VMS';
+     is_deeply(\@glob_files, ['a_dej']);
+ }
++
++# This used to segfault.
++my $i = bsd_glob('*', GLOB_ALTDIRFUNC);
++is(&File::Glob::GLOB_ERROR, 0, "Successfuly ignored unsupported flag");
+-- 
+1.7.6.4
+
diff --git a/perl.spec b/perl.spec
index f01e3de..1c220c1 100644
--- a/perl.spec
+++ b/perl.spec
@@ -76,6 +76,9 @@ Patch12:        perl-5.14.1-CVE-2011-2939.patch
 # rhbz #720610, Perl RT#94560, accepted as v5.15.4-24-g26e1303.
 Patch13:        perl-5.14.2-large-repeat-heap-abuse.patch
 
+# Fix CVE-2011-2728, rhbz#742987, fixed in Perl 5.14.2.
+Patch14:        perl-5.12.4-CVE-2011-2728.patch
+
 # Update some of the bundled modules
 # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions
 
@@ -952,6 +955,7 @@ upstream tarball from perl.org.
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
 
 #
 # Candidates for doc recoding (need case by case review):
@@ -1158,6 +1162,7 @@ pushd %{build_archlib}/CORE/
     'Fedora Patch11: Fix code injection in Digest->new()' \
     'Fedora Patch12: Fix CVE-2011-2939' \
     'Fedora Patch13: Change Perl_repeatcpy() to allow count above 2^31' \
+    'Fedora Patch14: Fix CVE-2011-2728' \
     %{nil}
 
 rm patchlevel.bak
@@ -1894,6 +1899,8 @@ rm -rf $RPM_BUILD_ROOT
 * Fri Nov 04 2011 Petr Pisar <ppisar at redhat.com> - 4:5.12.4-148
 - Change Perl_repeatcpy() prototype to allow repeat count above 2^31
   (bug #720610)
+- Fixes CVE-2011-2728 (File::Glob bsd_glob() crash with certain glob flags)
+  (bug #742987)
 
 * Wed Oct 05 2011 Petr Pisar <ppisar at redhat.com> - 4:5.12.4-147
 - Fix CVE-2011-3597 (code injection in Digest) (bug #743010)
