tag 622817 patch fixed-upstream forwarded 622817 http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336 thanks
On Thu, Apr 14, 2011 at 09:45:55PM +0100, Dominic Hargreaves wrote: > Package: perl > Version: 5.10.1-19 > Severity: grave > Tags: security > Justification: user security hole > > CVE description: > > The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl > 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, > do not apply the taint attribute to the return value upon processing > tainted input, which might allow context-dependent attackers to bypass > the taint protection mechanism via a crafted string. > > Upstream report: <http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336> > Redhat bug: <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1487> > Fix from bleadperl: > <http://perl5.git.perl.org/perl.git/commitdiff/539689e74a3bcb04d29e4cd9396de91a81045b99> > Fedora fix in 5.12: <https://bugzilla.redhat.com/show_bug.cgi?id=692900> Security team, I assume this is going to be fixed through a DSA? I've pushed a fix for sid (5.10.1) into our git repository and I'm attaching the actual patch. It's slightly modified from the Fedora one because their test script update has a glitch and doesn't actually fail without the fix. This is to be applied after the fixes/tainted-errno patch, so the test counts and context differ a bit from upstream. It should be trivial to port this to squeeze and lenny. I'll try to prepare the debdiffs on Sunday, but if somebody else wants to do that, feel free. Please note that the sid fix can't currently be uploaded on its own because of a db4.7 related problem (just filed as #622916). -- Niko Tyni nt...@debian.org
>From f741adfc630145977636e185d41ef88d0b681fd0 Mon Sep 17 00:00:00 2001 From: Niko Tyni <nt...@debian.org> Date: Fri, 15 Apr 2011 22:03:06 +0300 Subject: [PATCH 2/2] CVE-2011-1487: lc/uc(first) fail to taint the returned string Based on the 5.12 patch ported by the Fedora project, with test cases modified to actually fail without the fix. https://bugzilla.redhat.com/show_bug.cgi?id=692900 --- pp.c | 7 ++++++- t/op/taint.t | 15 ++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/pp.c b/pp.c index 1c8620c..40e512a 100644 --- a/pp.c +++ b/pp.c @@ -3616,6 +3616,8 @@ PP(pp_ucfirst) SvCUR_set(dest, need - 1); } } + if (dest != source && SvTAINTED(source)) + SvTAINT(dest); SvSETMAGIC(dest); RETURN; } @@ -3666,7 +3668,8 @@ PP(pp_uc) SvUPGRADE(dest, SVt_PV); d = (U8*)SvGROW(dest, min); (void)SvPOK_only(dest); - + if (dest != source && SvTAINTED(source)) + SvTAINT(dest); SETs(dest); } @@ -3835,6 +3838,8 @@ PP(pp_lc) SvCUR_set(dest, d - (U8*)SvPVX_const(dest)); } } + if (dest != source && SvTAINTED(source)) + SvTAINT(dest); SvSETMAGIC(dest); RETURN; } diff --git a/t/op/taint.t b/t/op/taint.t index 6511fa5..80ac57b 100755 --- a/t/op/taint.t +++ b/t/op/taint.t @@ -17,7 +17,7 @@ use Config; use File::Spec::Functions; BEGIN { require './test.pl'; } -plan tests => 302; +plan tests => 306; $| = 1; @@ -1327,6 +1327,19 @@ foreach my $ord (78, 163, 256) { } +{ + # [perl #87336] lc/uc(first) failing to taint the returned string + my $source = "foo$TAINT"; + my $dest = lc $source; + test tainted $dest, "lc(tainted) taints its return value"; + $dest = lcfirst $source; + test tainted $dest, "lcfirst(tainted) taints its return value"; + $dest = uc $source; + test tainted $dest, "uc(tainted) taints its return value"; + $dest = ucfirst $source; + test tainted $dest, "ucfirst(tainted) taints its return value"; +} + # This may bomb out with the alarm signal so keep it last SKIP: { skip "No alarm()" unless $Config{d_alarm}; -- 1.7.4.1
