diff options
3 files changed, 267 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl-5.14.3/0001-Fix-misparsing-of-maketext-strings.patch b/meta/recipes-devtools/perl/perl-5.14.3/0001-Fix-misparsing-of-maketext-strings.patch new file mode 100644 index 0000000000..89ec6eff0f --- /dev/null +++ b/meta/recipes-devtools/perl/perl-5.14.3/0001-Fix-misparsing-of-maketext-strings.patch @@ -0,0 +1,86 @@ +From 1735f6f53ca19f99c6e9e39496c486af323ba6a8 Mon Sep 17 00:00:00 2001 +From: Brian Carlson <brian.carlson@cpanel.net> +Date: Wed, 28 Nov 2012 08:54:33 -0500 +Subject: [PATCH] Fix misparsing of maketext strings. + +Case 61251: This commit fixes a misparse of maketext strings that could +lead to arbitrary code execution. Basically, maketext was compiling +bracket notation into functions, but neglected to escape backslashes +inside the content or die on fully-qualified method names when +generating the code. This change escapes all such backslashes and dies +when a method name with a colon or apostrophe is specified. +--- + AUTHORS | 1 + + dist/Locale-Maketext/lib/Locale/Maketext.pm | 24 ++++++++---------------- + 2 files changed, 9 insertions(+), 16 deletions(-) + +Upstream-Status: Backport + +Signed-off-by: Saul Wold <sgw@linux.intel.com> + + +diff --git a/AUTHORS b/AUTHORS +index 70734b0..009dea0 100644 +--- a/AUTHORS ++++ b/AUTHORS +@@ -154,6 +154,7 @@ Breno G. de Oliveira <garu@cpan.org> + Brent Dax <brentdax@cpan.org> + Brooks D Boyd + Brian Callaghan <callagh@itginc.com> ++Brian Carlson <brian.carlson@cpanel.net> + Brian Clarke <clarke@appliedmeta.com> + brian d foy <brian.d.foy@gmail.com> + Brian Fraser <fraserbn@gmail.com> +diff --git a/dist/Locale-Maketext/lib/Locale/Maketext.pm b/dist/Locale-Maketext/lib/Locale/Maketext.pm +index 4822027..63e5fba 100644 +--- a/dist/Locale-Maketext/lib/Locale/Maketext.pm ++++ b/dist/Locale-Maketext/lib/Locale/Maketext.pm +@@ -625,21 +625,9 @@ sub _compile { + # 0-length method name means to just interpolate: + push @code, ' ('; + } +- elsif($m =~ /^\w+(?:\:\:\w+)*$/s +- and $m !~ m/(?:^|\:)\d/s +- # exclude starting a (sub)package or symbol with a digit ++ elsif($m =~ /^\w+$/s ++ # exclude anything fancy, especially fully-qualified module names + ) { +- # Yes, it even supports the demented (and undocumented?) +- # $obj->Foo::bar(...) syntax. +- $target->_die_pointing( +- $string_to_compile, q{Can't use "SUPER::" in a bracket-group method}, +- 2 + length($c[-1]) +- ) +- if $m =~ m/^SUPER::/s; +- # Because for SUPER:: to work, we'd have to compile this into +- # the right package, and that seems just not worth the bother, +- # unless someone convinces me otherwise. +- + push @code, ' $_[0]->' . $m . '('; + } + else { +@@ -693,7 +681,9 @@ sub _compile { + elsif(substr($1,0,1) ne '~') { + # it's stuff not containing "~" or "[" or "]" + # i.e., a literal blob +- $c[-1] .= $1; ++ my $text = $1; ++ $text =~ s/\\/\\\\/g; ++ $c[-1] .= $text; + + } + elsif($1 eq '~~') { # "~~" +@@ -731,7 +721,9 @@ sub _compile { + else { + # It's a "~X" where X is not a special character. + # Consider it a literal ~ and X. +- $c[-1] .= $1; ++ my $text = $1; ++ $text =~ s/\\/\\\\/g; ++ $c[-1] .= $text; + } + } + } +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/perl/perl-5.14.3/0001-Prevent-premature-hsplit-calls-and-only-trigger-REHA.patch b/meta/recipes-devtools/perl/perl-5.14.3/0001-Prevent-premature-hsplit-calls-and-only-trigger-REHA.patch new file mode 100644 index 0000000000..4357c2ef58 --- /dev/null +++ b/meta/recipes-devtools/perl/perl-5.14.3/0001-Prevent-premature-hsplit-calls-and-only-trigger-REHA.patch @@ -0,0 +1,178 @@ +From d59e31fc729d8a39a774f03bc6bc457029a7aef2 Mon Sep 17 00:00:00 2001 +From: Yves Orton <demerphq@gmail.com> +Date: Tue, 12 Feb 2013 10:53:05 +0100 +Subject: [PATCH] Prevent premature hsplit() calls, and only trigger REHASH + after hsplit() + +Triggering a hsplit due to long chain length allows an attacker +to create a carefully chosen set of keys which can cause the hash +to use 2 * (2**32) * sizeof(void *) bytes ram. AKA a DOS via memory +exhaustion. Doing so also takes non trivial time. + +Eliminating this check, and only inspecting chain length after a +normal hsplit() (triggered when keys>buckets) prevents the attack +entirely, and makes such attacks relatively benign. + +(cherry picked from commit f1220d61455253b170e81427c9d0357831ca0fac) + +Upstream-Status: Backport + +Signed-off-by: Saul Wold <sgw@linux.intel.com> + + +--- + ext/Hash-Util-FieldHash/t/10_hash.t | 18 ++++++++++++++++-- + hv.c | 35 ++++++++--------------------------- + t/op/hash.t | 20 +++++++++++++++++--- + 3 files changed, 41 insertions(+), 32 deletions(-) + +diff --git a/ext/Hash-Util-FieldHash/t/10_hash.t b/ext/Hash-Util-FieldHash/t/10_hash.t +index 2cfb4e8..d58f053 100644 +--- a/ext/Hash-Util-FieldHash/t/10_hash.t ++++ b/ext/Hash-Util-FieldHash/t/10_hash.t +@@ -38,15 +38,29 @@ use constant START => "a"; + + # some initial hash data + fieldhash my %h2; +-%h2 = map {$_ => 1} 'a'..'cc'; ++my $counter= "a"; ++$h2{$counter++}++ while $counter ne 'cd'; + + ok (!Internals::HvREHASH(%h2), + "starting with pre-populated non-pathological hash (rehash flag if off)"); + + my @keys = get_keys(\%h2); ++my $buckets= buckets(\%h2); + $h2{$_}++ for @keys; ++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split + ok (Internals::HvREHASH(%h2), +- scalar(@keys) . " colliding into the same bucket keys are triggering rehash"); ++ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split"); ++ ++# returns the number of buckets in a hash ++sub buckets { ++ my $hr = shift; ++ my $keys_buckets= scalar(%$hr); ++ if ($keys_buckets=~m!/([0-9]+)\z!) { ++ return 0+$1; ++ } else { ++ return 8; ++ } ++} + + sub get_keys { + my $hr = shift; +diff --git a/hv.c b/hv.c +index 2be1feb..abb9d76 100644 +--- a/hv.c ++++ b/hv.c +@@ -35,7 +35,8 @@ holds the key and hash value. + #define PERL_HASH_INTERNAL_ACCESS + #include "perl.h" + +-#define HV_MAX_LENGTH_BEFORE_SPLIT 14 ++#define HV_MAX_LENGTH_BEFORE_REHASH 14 ++#define SHOULD_DO_HSPLIT(xhv) ((xhv)->xhv_keys > (xhv)->xhv_max) /* HvTOTALKEYS(hv) > HvMAX(hv) */ + + static const char S_strtab_error[] + = "Cannot modify shared string table in hv_%s"; +@@ -794,29 +795,9 @@ Perl_hv_common(pTHX_ HV *hv, SV *keysv, const char *key, STRLEN klen, + if (masked_flags & HVhek_ENABLEHVKFLAGS) + HvHASKFLAGS_on(hv); + +- { +- const HE *counter = HeNEXT(entry); +- +- xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ +- if (!counter) { /* initial entry? */ +- } else if (xhv->xhv_keys > xhv->xhv_max) { +- /* Use only the old HvKEYS(hv) > HvMAX(hv) condition to limit +- bucket splits on a rehashed hash, as we're not going to +- split it again, and if someone is lucky (evil) enough to +- get all the keys in one list they could exhaust our memory +- as we repeatedly double the number of buckets on every +- entry. Linear search feels a less worse thing to do. */ +- hsplit(hv); +- } else if(!HvREHASH(hv)) { +- U32 n_links = 1; +- +- while ((counter = HeNEXT(counter))) +- n_links++; +- +- if (n_links > HV_MAX_LENGTH_BEFORE_SPLIT) { +- hsplit(hv); +- } +- } ++ xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ ++ if ( SHOULD_DO_HSPLIT(xhv) ) { ++ hsplit(hv); + } + + if (return_svp) { +@@ -1192,7 +1173,7 @@ S_hsplit(pTHX_ HV *hv) + + + /* Pick your policy for "hashing isn't working" here: */ +- if (longest_chain <= HV_MAX_LENGTH_BEFORE_SPLIT /* split worked? */ ++ if (longest_chain <= HV_MAX_LENGTH_BEFORE_REHASH /* split worked? */ + || HvREHASH(hv)) { + return; + } +@@ -2831,8 +2812,8 @@ S_share_hek_flags(pTHX_ const char *str, I32 len, register U32 hash, int flags) + + xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ + if (!next) { /* initial entry? */ +- } else if (xhv->xhv_keys > xhv->xhv_max /* HvKEYS(hv) > HvMAX(hv) */) { +- hsplit(PL_strtab); ++ } else if ( SHOULD_DO_HSPLIT(xhv) ) { ++ hsplit(PL_strtab); + } + } + +diff --git a/t/op/hash.t b/t/op/hash.t +index 278bea7..201260a 100644 +--- a/t/op/hash.t ++++ b/t/op/hash.t +@@ -39,22 +39,36 @@ use constant THRESHOLD => 14; + use constant START => "a"; + + # some initial hash data +-my %h2 = map {$_ => 1} 'a'..'cc'; ++my %h2; ++my $counter= "a"; ++$h2{$counter++}++ while $counter ne 'cd'; + + ok (!Internals::HvREHASH(%h2), + "starting with pre-populated non-pathological hash (rehash flag if off)"); + + my @keys = get_keys(\%h2); ++my $buckets= buckets(\%h2); + $h2{$_}++ for @keys; ++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split + ok (Internals::HvREHASH(%h2), +- scalar(@keys) . " colliding into the same bucket keys are triggering rehash"); ++ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split"); ++ ++# returns the number of buckets in a hash ++sub buckets { ++ my $hr = shift; ++ my $keys_buckets= scalar(%$hr); ++ if ($keys_buckets=~m!/([0-9]+)\z!) { ++ return 0+$1; ++ } else { ++ return 8; ++ } ++} + + sub get_keys { + my $hr = shift; + + # the minimum of bits required to mount the attack on a hash + my $min_bits = log(THRESHOLD)/log(2); +- + # if the hash has already been populated with a significant amount + # of entries the number of mask bits can be higher + my $keys = scalar keys %$hr; +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/perl/perl_5.14.3.bb b/meta/recipes-devtools/perl/perl_5.14.3.bb index 99150422fe..1e14e17020 100644 --- a/meta/recipes-devtools/perl/perl_5.14.3.bb +++ b/meta/recipes-devtools/perl/perl_5.14.3.bb @@ -65,6 +65,9 @@ SRC_URI = "http://www.cpan.org/src/5.0/perl-${PV}.tar.gz \ file://perl-archlib-exp.patch \ file://dynaloaderhack.patch \ \ + file://0001-Fix-misparsing-of-maketext-strings.patch \ + file://0001-Prevent-premature-hsplit-calls-and-only-trigger-REHA.patch \ + \ file://config.sh \ file://config.sh-32 \ file://config.sh-32-le \ |