diff options
author | Mingli Yu <Mingli.Yu@windriver.com> | 2016-09-21 17:47:31 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-09-22 11:08:22 +0100 |
commit | 81e550d0c23c9842b85207cdfa73bbe9102e01fb (patch) | |
tree | 50c49cef49d90a67747ed7c43b8822c6fca5bf20 /meta/recipes-devtools | |
parent | c9982dab4cfdd5963d2c2dd4aab99dd6a27fcd1c (diff) | |
download | openembedded-core-81e550d0c23c9842b85207cdfa73bbe9102e01fb.tar.gz openembedded-core-81e550d0c23c9842b85207cdfa73bbe9102e01fb.tar.bz2 openembedded-core-81e550d0c23c9842b85207cdfa73bbe9102e01fb.zip |
perl: fix CVE-2016-6185
Backport patch to fix CVE-2016-6185 from perl upstream:
http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch | 128 | ||||
-rw-r--r-- | meta/recipes-devtools/perl/perl_5.22.1.bb | 1 |
2 files changed, 129 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch new file mode 100644 index 0000000000..2722af35bc --- /dev/null +++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch @@ -0,0 +1,128 @@ +From 7cedaa8bc2ca9e63369d0e2d4c4c23af9febb93a Mon Sep 17 00:00:00 2001 +From: Father Chrysostomos <sprout@cpan.org> +Date: Sat, 2 Jul 2016 22:56:51 -0700 +Subject: [PATCH] perl: fix CVE-2016-6185 +MIME-Version: 1.0 + +Don't let XSLoader load relative paths + +[rt.cpan.org #115808] + +The logic in XSLoader for determining the library goes like this: + + my $c = () = split(/::/,$caller,-1); + $modlibname =~ s,[\\/][^\\/]+$,, while $c--; # Q&D basename + my $file = "$modlibname/auto/$modpname/$modfname.bundle"; + +(That last line varies by platform.) + +$caller is the calling package. $modlibname is the calling file. It +removes as many path segments from $modlibname as there are segments +in $caller. So if you have Foo/Bar/XS.pm calling XSLoader from the +Foo::Bar package, the $modlibname will end up containing the path in +@INC where XS.pm was found, followed by "/Foo". Usually the fallback +to Dynaloader::bootstrap_inherit, which does an @INC search, makes +things Just Work. + +But if our hypothetical Foo/Bar/XS.pm actually calls +XSLoader::load from inside a string eval, then path ends up being +"(eval 1)/auto/Foo/Bar/Bar.bundle". + +So if someone creates a directory named '(eval 1)' with a naughty +binary file in it, it will be loaded if a script using Foo::Bar is run +in the parent directory. + +This commit makes XSLoader fall back to Dynaloader's @INC search if +the calling file has a relative path that is not found in @INC. + +Backport patch from http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7 + +Upstream-Status: Backport +CVE: CVE-2016-6185 +Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> +--- + dist/XSLoader/XSLoader_pm.PL | 25 +++++++++++++++++++++++++ + dist/XSLoader/t/XSLoader.t | 27 ++++++++++++++++++++++++++- + 2 files changed, 51 insertions(+), 1 deletion(-) + +diff --git a/dist/XSLoader/XSLoader_pm.PL b/dist/XSLoader/XSLoader_pm.PL +index 668411d..778e46b 100644 +--- a/dist/XSLoader/XSLoader_pm.PL ++++ b/dist/XSLoader/XSLoader_pm.PL +@@ -104,6 +104,31 @@ print OUT <<'EOT'; + my $modpname = join('/',@modparts); + my $c = () = split(/::/,$caller,-1); + $modlibname =~ s,[\\/][^\\/]+$,, while $c--; # Q&D basename ++ # Does this look like a relative path? ++ if ($modlibname !~ m|^[\\/]|) { ++ # Someone may have a #line directive that changes the file name, or ++ # may be calling XSLoader::load from inside a string eval. We cer- ++ # tainly do not want to go loading some code that is not in @INC, ++ # as it could be untrusted. ++ # ++ # We could just fall back to DynaLoader here, but then the rest of ++ # this function would go untested in the perl core, since all @INC ++ # paths are relative during testing. That would be a time bomb ++ # waiting to happen, since bugs could be introduced into the code. ++ # ++ # So look through @INC to see if $modlibname is in it. A rela- ++ # tive $modlibname is not a common occurrence, so this block is ++ # not hot code. ++ FOUND: { ++ for (@INC) { ++ if ($_ eq $modlibname) { ++ last FOUND; ++ } ++ } ++ # Not found. Fall back to DynaLoader. ++ goto \&XSLoader::bootstrap_inherit; ++ } ++ } + EOT + + my $dl_dlext = quotemeta($Config::Config{'dlext'}); +diff --git a/dist/XSLoader/t/XSLoader.t b/dist/XSLoader/t/XSLoader.t +index 2ff11fe..1e86faa 100644 +--- a/dist/XSLoader/t/XSLoader.t ++++ b/dist/XSLoader/t/XSLoader.t +@@ -33,7 +33,7 @@ my %modules = ( + 'Time::HiRes'=> q| ::can_ok( 'Time::HiRes' => 'usleep' ) |, # 5.7.3 + ); + +-plan tests => keys(%modules) * 3 + 9; ++plan tests => keys(%modules) * 3 + 10; + + # Try to load the module + use_ok( 'XSLoader' ); +@@ -125,3 +125,28 @@ XSLoader::load("Devel::Peek"); + EOS + or ::diag $@; + } ++ ++SKIP: { ++ skip "File::Path not available", 1 ++ unless eval { require File::Path }; ++ my $name = "phooo$$"; ++ File::Path::make_path("$name/auto/Foo/Bar"); ++ open my $fh, ++ ">$name/auto/Foo/Bar/Bar.$Config::Config{'dlext'}"; ++ close $fh; ++ my $fell_back; ++ local *XSLoader::bootstrap_inherit = sub { ++ $fell_back++; ++ # Break out of the calling subs ++ goto the_test; ++ }; ++ eval <<END; ++#line 1 $name ++package Foo::Bar; ++XSLoader::load("Foo::Bar"); ++END ++ the_test: ++ ok $fell_back, ++ 'XSLoader will not load relative paths based on (caller)[1]'; ++ File::Path::remove_tree($name); ++} +-- +2.8.1 + diff --git a/meta/recipes-devtools/perl/perl_5.22.1.bb b/meta/recipes-devtools/perl/perl_5.22.1.bb index 04a2b6f481..33cad9efec 100644 --- a/meta/recipes-devtools/perl/perl_5.22.1.bb +++ b/meta/recipes-devtools/perl/perl_5.22.1.bb @@ -66,6 +66,7 @@ SRC_URI += " \ file://perl-fix-conflict-between-skip_all-and-END.patch \ file://perl-test-customized.patch \ file://perl-fix-CVE-2016-2381.patch \ + file://perl-fix-CVE-2016-6185.patch \ " # Fix test case issues |