On Mon, Dec 19, 2011 at 12:58:35PM +0000, Adam D. Barratt wrote: > On 19.12.2011 11:30, Dominic Hargreaves wrote: > >The security team has asked that we fix a couple of no-dsa issues in > >the next squeeze point release. This bug > >(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604902) was also > >queued for a point release update. > > > >The proposed patch > > > ><http://perl5.git.perl.org/perl.git/commit/01be0729981136a058cce07a897ccdb94609e1c0> > > > >has been confirmed by the bug submitter as fixing the problem. > > > >Could you approve this fix for stable? > > The patch looks like it would be okay; thanks. However, in order to > approve the upload for a point release, we'd need to see full > debdiffs for the proposed package which would be uploaded.
Current debdiff (without finalised changelog) attached. Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
diff --git a/debian/changelog b/debian/changelog index cb90d02..cda36a6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +perl (5.10.1-17squeeze3) UNRELEASED; urgency=low + + * [SECURITY] CVE-2011-2939: Fix decode_xs n-byte heap-overflow security + bug in Unicode.xs (Closes: #637376) + * [SECURITY] CVE-2011-3597: Fix unsafe use of eval in Digest->new(); + thanks to Ansgar Burchardt for the notification (Closes: #644108) + * Unregister signal handler before destroying my_perl; fixes segfault + (Closes: #604902) + + -- Dominic Hargreaves <d...@earth.li> Wed, 17 Aug 2011 00:24:10 +0100 + perl (5.10.1-17squeeze2) stable-security; urgency=low * [SECURITY] CVE-2010-1447: further Safe.pm fixes for breaking out diff --git a/debian/patches/fixes/digest_eval_hole.diff b/debian/patches/fixes/digest_eval_hole.diff new file mode 100644 index 0000000..9448534 --- /dev/null +++ b/debian/patches/fixes/digest_eval_hole.diff @@ -0,0 +1,33 @@ +From: "Michael G. Schwern" <schw...@pobox.com> +Date: Mon, 3 Oct 2011 19:05:29 +0100 +Subject: Close the eval "require $module" security hole in + Digest->new($algorithm) + +Also the filter was incomplete. + +Bug-Debian: http://bugs.debian.org/644108 + +Index: perl-squeeze/lib/Digest.pm +=================================================================== +--- perl-squeeze.orig/lib/Digest.pm 2011-12-18 16:53:18.000000000 +0000 ++++ perl-squeeze/lib/Digest.pm 2011-12-18 16:53:24.000000000 +0000 +@@ -24,7 +24,7 @@ + shift; # class ignored + my $algorithm = shift; + my $impl = $MMAP{$algorithm} || do { +- $algorithm =~ s/\W+//; ++ $algorithm =~ s/\W+//g; + "Digest::$algorithm"; + }; + $impl = [$impl] unless ref($impl); +@@ -35,7 +35,9 @@ + ($class, @args) = @$class if ref($class); + no strict 'refs'; + unless (exists ${"$class\::"}{"VERSION"}) { +- eval "require $class"; ++ my $pm_file = $class . ".pm"; ++ $pm_file =~ s{::}{/}g; ++ eval { require $pm_file }; + if ($@) { + $err ||= $@; + next; diff --git a/debian/patches/fixes/encode-heap-overflow.diff b/debian/patches/fixes/encode-heap-overflow.diff new file mode 100644 index 0000000..df8850f --- /dev/null +++ b/debian/patches/fixes/encode-heap-overflow.diff @@ -0,0 +1,29 @@ +From 3424efe3eae609b9787fcd80f6f66b5e8f00272a Mon Sep 17 00:00:00 2001 +From: Chris 'BinGOs' Williams <ch...@bingosnet.co.uk> +Date: Wed, 17 Aug 2011 00:21:57 +0100 +Subject: [PATCH] Fix decode_xs n-byte heap-overflow security bug in + Unicode.xs + +--- + ext/Encode/Unicode/Unicode.xs | 5 +++- + 3 files changed, 9 insertions(+), 57 deletions(-) + +diff --git a/ext/Encode/Unicode/Unicode.xs b/ext/Encode/Unicode/Unicode.xs +index 1f041d4..92005db 100644 +--- a/ext/Encode/Unicode/Unicode.xs ++++ b/ext/Encode/Unicode/Unicode.xs +@@ -246,7 +246,10 @@ CODE: + This prevents allocating too much in the rogue case of a large + input consisting initially of long sequence uft8-byte unicode + chars followed by single utf8-byte chars. */ +- STRLEN remaining = (e - s)/usize; ++ /* +1 ++ fixes Unicode.xs!decode_xs n-byte heap-overflow ++ */ ++ STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */ + STRLEN max_alloc = remaining + (8*1024*1024); + STRLEN est_alloc = remaining * UTF8_MAXLEN; + STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */ +-- +1.7.5.4 + diff --git a/debian/patches/fixes/unregister_signal_handler.diff b/debian/patches/fixes/unregister_signal_handler.diff new file mode 100644 index 0000000..cd8bf9f --- /dev/null +++ b/debian/patches/fixes/unregister_signal_handler.diff @@ -0,0 +1,44 @@ +From 01be0729981136a058cce07a897ccdb94609e1c0 Mon Sep 17 00:00:00 2001 +From: John Wright <j...@johnwright.org> +Date: Wed, 6 May 2009 00:47:15 -0600 +Subject: [PATCH] main: Unregister signal handler before destroying my_perl + +If the signal handler runs after perl_destruct() has been called, it +will get an invalid (or NULL) my_perl when it asks for the +thread-specific interpreter struct. This patch resets the signal +handler for any signal previously handled by PL_csighandlerp to SIG_DFL +before calling perl_destruct(). +--- + miniperlmain.c | 9 ++++++++- + 1 files changed, 8 insertions(+), 1 deletions(-) + +diff --git a/miniperlmain.c b/miniperlmain.c +index f60a3e0..f2302c2 100644 +--- a/miniperlmain.c ++++ b/miniperlmain.c +@@ -67,7 +67,7 @@ main(int argc, char **argv, char **env) + #endif + { + dVAR; +- int exitstatus; ++ int exitstatus, i; + #ifdef PERL_GLOBAL_STRUCT + struct perl_vars *plvarsp = init_global_struct(); + # ifdef PERL_GLOBAL_STRUCT_PRIVATE +@@ -116,6 +116,13 @@ main(int argc, char **argv, char **env) + if (!exitstatus) + perl_run(my_perl); + ++ /* Unregister our signal handler before destroying my_perl */ ++ for (i = 0; PL_sig_name[i]; i++) { ++ if (rsignal_state(PL_sig_num[i]) == (Sighandler_t) PL_csighandlerp) { ++ rsignal(PL_sig_num[i], (Sighandler_t) SIG_DFL); ++ } ++ } ++ + exitstatus = perl_destruct(my_perl); + + perl_free(my_perl); +-- +1.7.4.1 + diff --git a/debian/patches/patchlevel b/debian/patches/patchlevel index 4d9091f..b80b60e 100644 --- a/debian/patches/patchlevel +++ b/debian/patches/patchlevel @@ -1,4 +1,4 @@ -Subject: List packaged patches for 5.10.1-17squeeze2 in patchlevel.h +Subject: List packaged patches for 5.10.1-17squeeze3 in patchlevel.h Origin: vendor Bug-Debian: http://bugs.debian.org/567489 @@ -8,7 +8,7 @@ The list can be refreshed from information in debian/patches by running --- perl/patchlevel.bak +++ perl/patchlevel.h -@@ -133,0 +134,53 @@ +@@ -133,0 +134,56 @@ + ,"DEBPKG:debian/arm_thread_stress_timeout - http://bugs.debian.org/501970 Raise the timeout of ext/threads/shared/t/stress.t to accommodate slower build hosts" + ,"DEBPKG:debian/cpan_config_path - Set location of CPAN::Config to /etc/perl as /usr may not be writable." + ,"DEBPKG:debian/cpan_definstalldirs - Provide a sensible INSTALLDIRS default for modules installed from CPAN." @@ -61,4 +61,7 @@ The list can be refreshed from information in debian/patches by running + ,"DEBPKG:fixes/cgi-multiline-header - http://bugs.debian.org/606995 [CVE-2010-2761 CVE-2010-4410 CVE-2010-4411] CGI.pm MIME boundary and multiline header vulnerabilities" + ,"DEBPKG:fixes/casing-taint-cve-2011-1487 - http://bugs.debian.org/622817 [perl #87336] fix unwanted taint laundering in lc(), uc() et al." + ,"DEBPKG:fixes/safe-reval-rdo-cve-2010-1447 - [PATCH] Wrap by default coderefs returned by rdo and reval" -+ ,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze2 in patchlevel.h" ++ ,"DEBPKG:fixes/encode-heap-overflow - [PATCH] Fix decode_xs n-byte heap-overflow security bug in" ++ ,"DEBPKG:fixes/digest_eval_hole - Close the eval \"require $module\" security hole in" ++ ,"DEBPKG:fixes/unregister_signal_handler - [PATCH] main: Unregister signal handler before destroying my_perl" ++ ,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze3 in patchlevel.h" diff --git a/debian/patches/series b/debian/patches/series index b49b0f7..bb93dca 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -50,4 +50,7 @@ fixes/concat-stack-corruption.diff -p1 fixes/cgi-multiline-header.diff -p1 fixes/casing-taint-cve-2011-1487.diff -p1 fixes/safe-reval-rdo-cve-2010-1447.diff -p1 +fixes/encode-heap-overflow.diff -p1 +fixes/digest_eval_hole.diff +fixes/unregister_signal_handler.diff patchlevel -p1 diff --git a/debian/rules b/debian/rules index 96f2b8d..52e1f0b 100755 --- a/debian/rules +++ b/debian/rules @@ -436,6 +436,7 @@ refresh-patchlevel: $(patches) grep -q $(patchlevelpatch) $(patches) || echo '$(patchlevelpatch) -p1' >> $(patches) sed s/VERSION/$(package_version)/ debian/$(patchlevelpatch).head > debian/patches/$(patchlevelpatch) perl debian/list-patches $(patchprefix) < $(patches) | \ + sed -e 's/\"/\\\"/g' | \ xargs -d\\n -r perl -x patchlevel.h diff --unified=0 patchlevel.bak patchlevel.h | \ filterdiff --remove-timestamps --addprefix perl/ >> debian/patches/$(patchlevelpatch) diff --git a/ext/Encode/Unicode/Unicode.xs b/ext/Encode/Unicode/Unicode.xs index 1f041d4..92005db 100644 --- a/ext/Encode/Unicode/Unicode.xs +++ b/ext/Encode/Unicode/Unicode.xs @@ -246,7 +246,10 @@ CODE: This prevents allocating too much in the rogue case of a large input consisting initially of long sequence uft8-byte unicode chars followed by single utf8-byte chars. */ - STRLEN remaining = (e - s)/usize; + /* +1 + fixes Unicode.xs!decode_xs n-byte heap-overflow + */ + STRLEN remaining = (e - s)/usize + 1; /* +1 to avoid the leak */ STRLEN max_alloc = remaining + (8*1024*1024); STRLEN est_alloc = remaining * UTF8_MAXLEN; STRLEN newlen = SvLEN(result) + /* min(max_alloc, est_alloc) */ diff --git a/lib/Digest.pm b/lib/Digest.pm index 384dfc8..d714434 100644 --- a/lib/Digest.pm +++ b/lib/Digest.pm @@ -24,7 +24,7 @@ sub new shift; # class ignored my $algorithm = shift; my $impl = $MMAP{$algorithm} || do { - $algorithm =~ s/\W+//; + $algorithm =~ s/\W+//g; "Digest::$algorithm"; }; $impl = [$impl] unless ref($impl); @@ -35,7 +35,9 @@ sub new ($class, @args) = @$class if ref($class); no strict 'refs'; unless (exists ${"$class\::"}{"VERSION"}) { - eval "require $class"; + my $pm_file = $class . ".pm"; + $pm_file =~ s{::}{/}g; + eval { require $pm_file }; if ($@) { $err ||= $@; next; diff --git a/miniperlmain.c b/miniperlmain.c index f60a3e0..f2302c2 100644 --- a/miniperlmain.c +++ b/miniperlmain.c @@ -67,7 +67,7 @@ main(int argc, char **argv, char **env) #endif { dVAR; - int exitstatus; + int exitstatus, i; #ifdef PERL_GLOBAL_STRUCT struct perl_vars *plvarsp = init_global_struct(); # ifdef PERL_GLOBAL_STRUCT_PRIVATE @@ -116,6 +116,13 @@ main(int argc, char **argv, char **env) if (!exitstatus) perl_run(my_perl); + /* Unregister our signal handler before destroying my_perl */ + for (i = 0; PL_sig_name[i]; i++) { + if (rsignal_state(PL_sig_num[i]) == (Sighandler_t) PL_csighandlerp) { + rsignal(PL_sig_num[i], (Sighandler_t) SIG_DFL); + } + } + exitstatus = perl_destruct(my_perl); perl_free(my_perl); diff --git a/patchlevel.h b/patchlevel.h index 53506f4..4bd39fa 100644 --- a/patchlevel.h +++ b/patchlevel.h @@ -183,7 +183,10 @@ static const char * const local_patches[] = { ,"DEBPKG:fixes/cgi-multiline-header - http://bugs.debian.org/606995 [CVE-2010-2761 CVE-2010-4410 CVE-2010-4411] CGI.pm MIME boundary and multiline header vulnerabilities" ,"DEBPKG:fixes/casing-taint-cve-2011-1487 - http://bugs.debian.org/622817 [perl #87336] fix unwanted taint laundering in lc(), uc() et al." ,"DEBPKG:fixes/safe-reval-rdo-cve-2010-1447 - [PATCH] Wrap by default coderefs returned by rdo and reval" - ,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze2 in patchlevel.h" + ,"DEBPKG:fixes/encode-heap-overflow - [PATCH] Fix decode_xs n-byte heap-overflow security bug in" + ,"DEBPKG:fixes/digest_eval_hole - Close the eval \"require $module\" security hole in" + ,"DEBPKG:fixes/unregister_signal_handler - [PATCH] main: Unregister signal handler before destroying my_perl" + ,"DEBPKG:patchlevel - http://bugs.debian.org/567489 List packaged patches for 5.10.1-17squeeze3 in patchlevel.h" ,NULL };
