[perl/f15] Fix CVE-2011-2939

Petr Pisar ppisar at fedoraproject.org
Wed Oct 5 16:13:55 UTC 2011 

commit 63130052504f959d64965a0c0460628e31bc8dff
Author: Petr Písař <ppisar at redhat.com>
Date:   Wed Oct 5 17:06:55 2011 +0200

    Fix CVE-2011-2939

 perl-5.14.1-CVE-2011-2939.patch |   31 +++++++++++++++++++++++++++++++
 perl.spec                       |    6 ++++++
 2 files changed, 37 insertions(+), 0 deletions(-)
---
diff --git a/perl-5.14.1-CVE-2011-2939.patch b/perl-5.14.1-CVE-2011-2939.patch
new file mode 100644
index 0000000..d6e9309
--- /dev/null
+++ b/perl-5.14.1-CVE-2011-2939.patch
@@ -0,0 +1,31 @@
+From c28861b92c21957858b840da14b9734f4436b3be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Wed, 5 Oct 2011 16:45:43 +0200
+Subject: [PATCH] Fix CVE-2011-2939
+
+Fixes heap overflow while decoding Unicode string. See
+<https://bugzilla.redhat.com/show_bug.cgi?id=731246> for more
+details. Original patch by Robert Zacek <zacek at avast.com>.
+---
+ cpan/Encode/Unicode/Unicode.xs |    5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/cpan/Encode/Unicode/Unicode.xs b/cpan/Encode/Unicode/Unicode.xs
+index 07d7e25..af5965d 100644
+--- a/cpan/Encode/Unicode/Unicode.xs
++++ b/cpan/Encode/Unicode/Unicode.xs
+@@ -256,7 +256,10 @@ CODE:
+ 	       This prevents allocating too much in the rogue case of a large
+ 	       input consisting initially of long sequence uft8-byte unicode
+ 	       chars followed by single utf8-byte chars. */
+-	    STRLEN remaining = (e - s)/usize;
++	    /* +1 
++	       fixes  Unicode.xs!decode_xs n-byte heap-overflow
++	      */
++	    STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */
+ 	    STRLEN max_alloc = remaining + (8*1024*1024);
+ 	    STRLEN est_alloc = remaining * UTF8_MAXLEN;
+ 	    STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */
+-- 
+1.7.6.4
+
diff --git a/perl.spec b/perl.spec
index 622b95f..6591a96 100644
--- a/perl.spec
+++ b/perl.spec
@@ -83,6 +83,9 @@ Patch10:	perl-ExtUtils-ParseXS-2.2206.patch
 # Fix code injection in Digest, rhbz #743010, RT#71390, fixed in Digest-1.17.
 Patch11:         perl-5.14.2-digest_eval.patch
 
+# Fix CVE-2011-2939, rhbz #731246, fixed in perl-5.14.2.
+Patch12:        perl-5.14.1-CVE-2011-2939.patch
+
 # Update some of the bundled modules
 # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions
 
@@ -959,6 +962,7 @@ tarball from perl.org.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 
 #copy the example script
 cp -a %{SOURCE5} .
@@ -1172,6 +1176,7 @@ pushd %{build_archlib}/CORE/
     'Fedora Patch9: h2ph produces incorrect code in preamble, based mainly on RT #74614 ' \
     'Fedora Patch10: Update ExtUtils::ParseXS to 2.2206' \
     'Fedora Patch11: Fix code injection in Digest->new()' \
+    'Fedora Patch12: Fix CVE-2011-2939' \
     %{nil}
 
 rm patchlevel.bak
@@ -1975,6 +1980,7 @@ rm -rf $RPM_BUILD_ROOT
 %changelog
 * Wed Oct 05 2011 Petr Pisar <ppisar at redhat.com> - 4:5.12.4-161
 - Fix CVE-2011-3597 (code injection in Digest) (bug #743010)
+- Fix CVE-2011-2939 (heap overflow while decoding Unicode string) (bug #731246)
 
 * Sun Aug 14 2011 Iain Arnell <iarnell at gmail.com> 4:5.12.4-161
 - perl needs to own vendorarch/auto directory

More information about the scm-commits mailing list