[perl/f16] Fix CVE-2011-2939

Wed Oct 5 15:36:35 UTC 2011

commit 7fc88b6fe92b86bc680979e107a6d84a3a04502e
Author: Petr Písař <ppisar at redhat.com>
Date:   Wed Oct 5 17:06:55 2011 +0200

    Fix CVE-2011-2939

 perl-5.14.1-CVE-2011-2939.patch |   31 +++++++++++++++++++++++++++++++
 perl.spec                       |    6 ++++++
 2 files changed, 37 insertions(+), 0 deletions(-)
---

diff --git a/perl-5.14.1-CVE-2011-2939.patch b/perl-5.14.1-CVE-2011-2939.patch
new file mode 100644
index 0000000..d6e9309
--- /dev/null
+++ b/perl-5.14.1-CVE-2011-2939.patch
@@ -0,0 +1,31 @@
+From c28861b92c21957858b840da14b9734f4436b3be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Wed, 5 Oct 2011 16:45:43 +0200
+Subject: [PATCH] Fix CVE-2011-2939
+
+Fixes heap overflow while decoding Unicode string. See
+<https://bugzilla.redhat.com/show_bug.cgi?id=731246> for more
+details. Original patch by Robert Zacek <zacek at avast.com>.
+---
+ cpan/Encode/Unicode/Unicode.xs |    5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/cpan/Encode/Unicode/Unicode.xs b/cpan/Encode/Unicode/Unicode.xs
+index 07d7e25..af5965d 100644
+--- a/cpan/Encode/Unicode/Unicode.xs
++++ b/cpan/Encode/Unicode/Unicode.xs
+@@ -256,7 +256,10 @@ CODE:
+ 	       This prevents allocating too much in the rogue case of a large
+ 	       input consisting initially of long sequence uft8-byte unicode
+ 	       chars followed by single utf8-byte chars. */
+-	    STRLEN remaining = (e - s)/usize;
++	    /* +1 
++	       fixes  Unicode.xs!decode_xs n-byte heap-overflow
++	      */
++	    STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */
+ 	    STRLEN max_alloc = remaining + (8*1024*1024);
+ 	    STRLEN est_alloc = remaining * UTF8_MAXLEN;
+ 	    STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */
+-- 
+1.7.6.4
+
diff --git a/perl.spec b/perl.spec
index f68474a..bcf624f 100644
--- a/perl.spec
+++ b/perl.spec
@@ -66,6 +66,9 @@ Patch8:         perl-5.14.1-offtest.patch
 # Fix code injection in Digest, rhbz #743010, RT#71390, fixed in Digest-1.17.
 Patch9:         perl-5.14.2-digest_eval.patch
 
+# Fix CVE-2011-2939, rhbz #731246, fixed in perl-5.14.2.
+Patch10:        perl-5.14.1-CVE-2011-2939.patch
+
 # Update some of the bundled modules
 # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions
 
@@ -1073,6 +1076,7 @@ tarball from perl.org.
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 #copy the example script
 cp -a %{SOURCE5} .
@@ -1260,6 +1264,7 @@ pushd %{build_archlib}/CORE/
     'Fedora Patch6: Skip hostname tests, due to builders not being network capable' \
     'Fedora Patch7: Dont run one io test due to random builder failures' \
     'Fedora Patch9: Fix code injection in Digest->new()' \
+    'Fedora Patch10: Fix CVE-2011-2939' \
     %{nil}
 
 rm patchlevel.bak
@@ -2149,6 +2154,7 @@ sed \
 %changelog
 * Wed Oct 05 2011 Petr Pisar <ppisar at redhat.com> - 4:5.14.1-188
 - Fix CVE-2011-3597 (code injection in Digest) (bug #743010)
+- Fix CVE-2011-2939 (heap overflow while decoding Unicode string) (bug #731246)
 
 * Tue Aug 30 2011 Petr Pisar <ppisar at redhat.com> - 4:5.14.1-187
 - Split Locale::Codes into standalone sub-package to dual-live with newer
