[pl/f16] Fix CVE-2012-6089

Petr Pisar ppisar at fedoraproject.org
Fri Jan 4 12:59:48 UTC 2013 

commit 70e4bfc33bb1c6880238ba37387f451175ad14e0
Author: Petr Písař <ppisar at redhat.com>
Date:   Fri Jan 4 12:49:44 2013 +0100

    Fix CVE-2012-6089

 pl-5.10.2-CVE-2012-6089.patch |   97 +++++++++++++++++++++++++++++++++++++++++
 pl.spec                       |    8 +++-
 2 files changed, 104 insertions(+), 1 deletions(-)
---
diff --git a/pl-5.10.2-CVE-2012-6089.patch b/pl-5.10.2-CVE-2012-6089.patch
new file mode 100644
index 0000000..14bd3ed
--- /dev/null
+++ b/pl-5.10.2-CVE-2012-6089.patch
@@ -0,0 +1,97 @@
+From 6149f39ada50f7ebc6b0cb7756490a0fea967bd1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar at redhat.com>
+Date: Fri, 4 Jan 2013 13:33:11 +0100
+Subject: [PATCH 1/2] Fix CVE-2012-6089
+
+Upstream fix ported to 5.10.2:
+
+From a9a6fc8a2a9cf3b9154b490a4b1ffaa8be4d723c Mon Sep 17 00:00:00 2001
+From: Jan Wielemaker <J.Wielemaker at cs.vu.nl>
+Date: Sun, 16 Dec 2012 18:13:17 +0100
+Subject: [PATCH] FIXED: Possible buffer overrun in patch canonisation code.
+
+Pushes pointers on an automatic array without checking for overflow.
+Can be used for DoS attacks.  Will be extremely hard to make it execute
+arbitrary code.
+---
+ src/pl-buffer.h |  2 ++
+ src/pl-os.c     | 19 +++++++++++--------
+ 2 files changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/src/pl-buffer.h b/src/pl-buffer.h
+index d4149c1..000bca5 100644
+--- a/src/pl-buffer.h
++++ b/src/pl-buffer.h
+@@ -79,6 +79,8 @@ void	growBuffer(Buffer b, size_t minfree);
+ 				  sizeof((b)->static_buffer))
+ #define emptyBuffer(b)           ((b)->top  = (b)->base)
+ #define isEmptyBuffer(b)         ((b)->top == (b)->base)
++#define popBuffer(b,type) \
++	((b)->top -= sizeof(type), *(type*)(b)->top)
+ 
+ #define discardBuffer(b) \
+ 	do \
+diff --git a/src/pl-os.c b/src/pl-os.c
+index c6aaefc..4d008d6 100644
+--- a/src/pl-os.c
++++ b/src/pl-os.c
+@@ -1081,8 +1081,7 @@ cleanupExpand(void)
+ char *
+ canoniseFileName(char *path)
+ { char *out = path, *in = path, *start = path;
+-  char *osave[100];
+-  int  osavep = 0;
++  tmp_buffer saveb;
+ 
+ #ifdef O_HASDRIVES			/* C: */
+   if ( in[1] == ':' && isLetter(in[0]) )
+@@ -1110,7 +1109,8 @@ canoniseFileName(char *path)
+     in += 2;
+   if ( in[0] == '/' )
+     *out++ = '/';
+-  osave[osavep++] = out;
++  initBuffer(&saveb);
++  addBuffer(&saveb, out, char*);
+ 
+   while(*in)
+   { if (*in == '/')
+@@ -1126,15 +1126,15 @@ canoniseFileName(char *path)
+ 	  }
+ 	  if ( in[2] == EOS )		/* delete trailing /. */
+ 	  { *out = EOS;
+-	    return path;
++	    goto out;
+ 	  }
+ 	  if ( in[2] == '.' && (in[3] == '/' || in[3] == EOS) )
+-	  { if ( osavep > 0 )		/* delete /foo/../ */
+-	    { out = osave[--osavep];
++	  { if ( !isEmptyBuffer(&saveb) )		/* delete /foo/../ */
++	    { out = popBuffer(&saveb, char*);
+ 	      in += 3;
+ 	      if ( in[0] == EOS && out > start+1 )
+ 	      { out[-1] = EOS;		/* delete trailing / */
+-		return path;
++		goto out;
+ 	      }
+ 	      goto again;
+ 	    } else if (	start[0] == '/' && out == start+1 )
+@@ -1148,12 +1148,15 @@ canoniseFileName(char *path)
+ 	in++;
+       if ( out > path && out[-1] != '/' )
+ 	*out++ = '/';
+-      osave[osavep++] = out;
++      addBuffer(&saveb, out, char*);
+     } else
+       *out++ = *in++;
+   }
+   *out++ = *in++;
+ 
++out:
++  discardBuffer(&saveb);
++
+   return path;
+ }
+ 
+-- 
+1.7.11.7
+
diff --git a/pl.spec b/pl.spec
index 1cf65df..bf8e962 100644
--- a/pl.spec
+++ b/pl.spec
@@ -6,7 +6,7 @@
 
 Name:       pl
 Version:    5.10.2
-Release:    8%{?dist}
+Release:    9%{?dist}
 
 Summary:    SWI-Prolog - Edinburgh compatible Prolog compiler
 
@@ -38,6 +38,8 @@ Patch8:     xpce-gif-CVE-2007-6697-like.patch
 Patch9:     xpce-5.10.5-SECURITY-Bug-9-Loading-incomplete-GIF-files-causes-a.patch
 # Upstream bug #9, will be in 5.10.6, rhbz#732952
 Patch10:    xpce-5.10.5-SECURITY-Make-sure-all-pixels-are-within-the-allocat.patch
+# Fix CVE-2012-6089, in upstream 6.2.5, rhbz#891666
+Patch11:    %{name}-5.10.2-CVE-2012-6089.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 # Base
@@ -156,6 +158,7 @@ cd packages/xpce
 %patch9 -p1 -b .incomplete_gif
 %patch10 -p1 -b .validate_pixel_color
 )
+%patch11 -p1 -b .CVE-2012-6089
 (
    cd src
    autoconf
@@ -339,6 +342,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Fri Jan 04 2013 Petr Pisar <ppisar at redhat.com> - 5.10.2-9
+- Fix CVE-2012-6089 (buffer overflows in path canonisation code) (bug #891666)
+
 * Thu Mar 08 2012 Petr Pisar <ppisar at redhat.com> - 5.10.2-8
 - Fix JPL interface (bug #590499)

More information about the scm-commits mailing list