-
Notifications
You must be signed in to change notification settings - Fork 744
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
MFH r412502 r412503 r413010 r413019 r413036 r413249 r413567:
Apply batch of Perl updates up to security issue fix. Fix a Perl security issue. PR: 208879 Reported by: Sevan Janiyan Security: CVE-2016-2381 Sponsored by: Absolight Approved by: ports-secteam (with hat)
- Loading branch information
Showing
15 changed files
with
376 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,2 @@ | ||
SHA256 (perl/perl-5.23.9-30_GH0.tar.gz) = c39da02236981dc5acaea469134836083907e393e836a4640d11b7d15bb048f3 | ||
SIZE (perl/perl-5.23.9-30_GH0.tar.gz) = 17864815 | ||
SHA256 (perl/perl-5.23.9-85_GH0.tar.gz) = d9cf37b24daf8054ee86f6ebcff11197b45b52dcc8281c6521b17eedc686ac1d | ||
SIZE (perl/perl-5.23.9-85_GH0.tar.gz) = 17879774 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,2 @@ | ||
PERL_VERSION= 5.23.10 | ||
PERL_VERSION= 5.24.0 | ||
PERL5_DEPEND= perl5>=5.23<5.24 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
commit 7098efff946437a2db6013d12c4fc3193fc328ce | ||
Author: Tony Cook <tony@develop-help.com> | ||
Date: 2016-01-27 11:52:15 +1100 | ||
|
||
remove duplicate environment variables from environ | ||
|
||
If we see duplicate environment variables while iterating over | ||
environ[]: | ||
|
||
a) make sure we use the same value in %ENV that getenv() returns. | ||
|
||
Previously on a duplicate, %ENV would have the last entry for the name | ||
from environ[], but a typical getenv() would return the first entry. | ||
|
||
Rather than assuming all getenv() implementations return the first entry | ||
explicitly call getenv() to ensure they agree. | ||
|
||
b) remove duplicate entries from environ | ||
|
||
Previously if there was a duplicate definition for a name in environ[] | ||
setting that name in %ENV could result in an unsafe value being passed | ||
to a child process, so ensure environ[] has no duplicates. | ||
|
||
--- perl.c.orig 2014-10-01 01:33:00 UTC | ||
+++ perl.c | ||
@@ -4272,23 +4272,70 @@ S_init_postdump_symbols(pTHX_ int argc, | ||
} | ||
if (env) { | ||
char *s, *old_var; | ||
+ STRLEN nlen; | ||
SV *sv; | ||
+ HV *dups = newHV(); | ||
+ | ||
for (; *env; env++) { | ||
old_var = *env; | ||
|
||
if (!(s = strchr(old_var,'=')) || s == old_var) | ||
continue; | ||
+ nlen = s - old_var; | ||
|
||
#if defined(MSDOS) && !defined(DJGPP) | ||
*s = '\0'; | ||
(void)strupr(old_var); | ||
*s = '='; | ||
#endif | ||
- sv = newSVpv(s+1, 0); | ||
- (void)hv_store(hv, old_var, s - old_var, sv, 0); | ||
+ if (hv_exists(hv, old_var, nlen)) { | ||
+ const char *name = savepvn(old_var, nlen); | ||
+ | ||
+ /* make sure we use the same value as getenv(), otherwise code that | ||
+ uses getenv() (like setlocale()) might see a different value to %ENV | ||
+ */ | ||
+ sv = newSVpv(PerlEnv_getenv(name), 0); | ||
+ | ||
+ /* keep a count of the dups of this name so we can de-dup environ later */ | ||
+ if (hv_exists(dups, name, nlen)) | ||
+ ++SvIVX(*hv_fetch(dups, name, nlen, 0)); | ||
+ else | ||
+ (void)hv_store(dups, name, nlen, newSViv(1), 0); | ||
+ | ||
+ Safefree(name); | ||
+ } | ||
+ else { | ||
+ sv = newSVpv(s+1, 0); | ||
+ } | ||
+ (void)hv_store(hv, old_var, nlen, sv, 0); | ||
if (env_is_not_environ) | ||
mg_set(sv); | ||
} | ||
+ if (HvKEYS(dups)) { | ||
+ /* environ has some duplicate definitions, remove them */ | ||
+ HE *entry; | ||
+ hv_iterinit(dups); | ||
+ while ((entry = hv_iternext_flags(dups, 0))) { | ||
+ STRLEN nlen; | ||
+ const char *name = HePV(entry, nlen); | ||
+ IV count = SvIV(HeVAL(entry)); | ||
+ IV i; | ||
+ SV **valp = hv_fetch(hv, name, nlen, 0); | ||
+ | ||
+ assert(valp); | ||
+ | ||
+ /* try to remove any duplicate names, depending on the | ||
+ * implementation used in my_setenv() the iteration might | ||
+ * not be necessary, but let's be safe. | ||
+ */ | ||
+ for (i = 0; i < count; ++i) | ||
+ my_setenv(name, 0); | ||
+ | ||
+ /* and set it back to the value we set $ENV{name} to */ | ||
+ my_setenv(name, SvPV_nolen(*valp)); | ||
+ } | ||
+ } | ||
+ SvREFCNT_dec_NN(dups); | ||
} | ||
#endif /* USE_ENVIRON_ARRAY */ | ||
#endif /* !PERL_MICRO */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.