Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Pullup ticket #4507 - requested by spz
lang/perl5: security patch Revisions pulled up: - lang/perl5/Makefile 1.230 - lang/perl5/distinfo 1.123 - lang/perl5/patches/patch-dist_Data-Dumper_Dumper.pm 1.1 - lang/perl5/patches/patch-dist_Data-Dumper_Dumper.xs 1.1 --- Module Name: pkgsrc Committed By: spz Date: Mon Sep 29 11:36:02 UTC 2014 Modified Files: pkgsrc/lang/perl5: Makefile distinfo Added Files: pkgsrc/lang/perl5/patches: patch-dist_Data-Dumper_Dumper.pm patch-dist_Data-Dumper_Dumper.xs Log Message: Minimally invasive fix for CVE-2014-4330, also known as https://www.lsexperts.de/advisories/lse-2014-06-10.txt, a stack overflow vulnerability in Data::Dumper Patches taken from http://perl5.git.perl.org/perl.git/commitdiff/19be3be6968e2337bcdfe480693fff795ecd1304, to be removed when updating to 5.20.1 (or later). perl-5.20.0nb2 is fit for pkg_add -u replacement of perl-5.20.0nb1
- Loading branch information
tron
committed
Sep 30, 2014
1 parent
9c56163
commit 52c2e3b
Showing
4 changed files
with
193 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
$NetBSD: patch-dist_Data-Dumper_Dumper.pm,v 1.1.2.2 2014/09/30 17:03:04 tron Exp $ | ||
|
||
patch for CVE-2014-4330, remove for 5.20.1 | ||
taken from http://perl5.git.perl.org/perl.git/commitdiff/19be3be6968e2337bcdfe480693fff795ecd1304 | ||
|
||
--- dist/Data-Dumper/Dumper.pm.orig 2014-05-26 13:34:19.000000000 +0000 | ||
+++ dist/Data-Dumper/Dumper.pm | ||
@@ -56,6 +56,7 @@ $Useperl = 0 unless defined $ | ||
$Sortkeys = 0 unless defined $Sortkeys; | ||
$Deparse = 0 unless defined $Deparse; | ||
$Sparseseen = 0 unless defined $Sparseseen; | ||
+$Maxrecurse = 1000 unless defined $Maxrecurse; | ||
|
||
# | ||
# expects an arrayref of values to be dumped. | ||
@@ -92,6 +93,7 @@ sub new { | ||
'bless' => $Bless, # keyword to use for "bless" | ||
# expdepth => $Expdepth, # cutoff depth for explicit dumping | ||
maxdepth => $Maxdepth, # depth beyond which we give up | ||
+ maxrecurse => $Maxrecurse, # depth beyond which we abort | ||
useperl => $Useperl, # use the pure Perl implementation | ||
sortkeys => $Sortkeys, # flag or filter for sorting hash keys | ||
deparse => $Deparse, # use B::Deparse for coderefs | ||
@@ -350,6 +352,12 @@ sub _dump { | ||
return qq['$val']; | ||
} | ||
|
||
+ # avoid recursing infinitely [perl #122111] | ||
+ if ($s->{maxrecurse} > 0 | ||
+ and $s->{level} >= $s->{maxrecurse}) { | ||
+ die "Recursion limit of $s->{maxrecurse} exceeded"; | ||
+ } | ||
+ | ||
# we have a blessed ref | ||
my ($blesspad); | ||
if ($realpack and !$no_bless) { | ||
@@ -680,6 +688,11 @@ sub Maxdepth { | ||
defined($v) ? (($s->{'maxdepth'} = $v), return $s) : $s->{'maxdepth'}; | ||
} | ||
|
||
+sub Maxrecurse { | ||
+ my($s, $v) = @_; | ||
+ defined($v) ? (($s->{'maxrecurse'} = $v), return $s) : $s->{'maxrecurse'}; | ||
+} | ||
+ | ||
sub Useperl { | ||
my($s, $v) = @_; | ||
defined($v) ? (($s->{'useperl'} = $v), return $s) : $s->{'useperl'}; | ||
@@ -1105,6 +1118,16 @@ no maximum depth. | ||
|
||
=item * | ||
|
||
+$Data::Dumper::Maxrecurse I<or> $I<OBJ>->Maxrecurse(I<[NEWVAL]>) | ||
+ | ||
+Can be set to a positive integer that specifies the depth beyond which | ||
+recursion into a structure will throw an exception. This is intended | ||
+as a security measure to prevent perl running out of stack space when | ||
+dumping an excessively deep structure. Can be set to 0 to remove the | ||
+limit. Default is 1000. | ||
+ | ||
+=item * | ||
+ | ||
$Data::Dumper::Useperl I<or> $I<OBJ>->Useperl(I<[NEWVAL]>) | ||
|
||
Can be set to a boolean value which controls whether the pure Perl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
$NetBSD: patch-dist_Data-Dumper_Dumper.xs,v 1.1.2.2 2014/09/30 17:03:04 tron Exp $ | ||
|
||
patch for CVE-2014-4330, remove for 5.20.1 | ||
taken from http://perl5.git.perl.org/perl.git/commitdiff/19be3be6968e2337bcdfe480693fff795ecd1304 | ||
|
||
--- dist/Data-Dumper/Dumper.xs.orig 2014-05-26 13:34:19.000000000 +0000 | ||
+++ dist/Data-Dumper/Dumper.xs | ||
@@ -28,7 +28,7 @@ static I32 DD_dump (pTHX_ SV *val, const | ||
SV *pad, SV *xpad, SV *apad, SV *sep, SV *pair, | ||
SV *freezer, SV *toaster, | ||
I32 purity, I32 deepcopy, I32 quotekeys, SV *bless, | ||
- I32 maxdepth, SV *sortkeys, int use_sparse_seen_hash, I32 useqq); | ||
+ I32 maxdepth, SV *sortkeys, int use_sparse_seen_hash, I32 useqq, IV maxrecurse); | ||
|
||
#ifndef HvNAME_get | ||
#define HvNAME_get HvNAME | ||
@@ -412,7 +412,7 @@ DD_dump(pTHX_ SV *val, const char *name, | ||
AV *postav, I32 *levelp, I32 indent, SV *pad, SV *xpad, | ||
SV *apad, SV *sep, SV *pair, SV *freezer, SV *toaster, I32 purity, | ||
I32 deepcopy, I32 quotekeys, SV *bless, I32 maxdepth, SV *sortkeys, | ||
- int use_sparse_seen_hash, I32 useqq) | ||
+ int use_sparse_seen_hash, I32 useqq, IV maxrecurse) | ||
{ | ||
char tmpbuf[128]; | ||
Size_t i; | ||
@@ -589,6 +589,10 @@ DD_dump(pTHX_ SV *val, const char *name, | ||
return 1; | ||
} | ||
|
||
+ if (maxrecurse > 0 && *levelp >= maxrecurse) { | ||
+ croak("Recursion limit of %" IVdf " exceeded", maxrecurse); | ||
+ } | ||
+ | ||
if (realpack && !no_bless) { /* we have a blessed ref */ | ||
STRLEN blesslen; | ||
const char * const blessstr = SvPV(bless, blesslen); | ||
@@ -674,7 +678,8 @@ DD_dump(pTHX_ SV *val, const char *name, | ||
DD_dump(aTHX_ ival, SvPVX_const(namesv), SvCUR(namesv), retval, seenhv, | ||
postav, levelp, indent, pad, xpad, apad, sep, pair, | ||
freezer, toaster, purity, deepcopy, quotekeys, bless, | ||
- maxdepth, sortkeys, use_sparse_seen_hash, useqq); | ||
+ maxdepth, sortkeys, use_sparse_seen_hash, useqq, | ||
+ maxrecurse); | ||
sv_catpvn(retval, ")}", 2); | ||
} /* plain */ | ||
else { | ||
@@ -682,7 +687,8 @@ DD_dump(pTHX_ SV *val, const char *name, | ||
DD_dump(aTHX_ ival, SvPVX_const(namesv), SvCUR(namesv), retval, seenhv, | ||
postav, levelp, indent, pad, xpad, apad, sep, pair, | ||
freezer, toaster, purity, deepcopy, quotekeys, bless, | ||
- maxdepth, sortkeys, use_sparse_seen_hash, useqq); | ||
+ maxdepth, sortkeys, use_sparse_seen_hash, useqq, | ||
+ maxrecurse); | ||
} | ||
SvREFCNT_dec(namesv); | ||
} | ||
@@ -694,7 +700,8 @@ DD_dump(pTHX_ SV *val, const char *name, | ||
DD_dump(aTHX_ ival, SvPVX_const(namesv), SvCUR(namesv), retval, seenhv, | ||
postav, levelp, indent, pad, xpad, apad, sep, pair, | ||
freezer, toaster, purity, deepcopy, quotekeys, bless, | ||
- maxdepth, sortkeys, use_sparse_seen_hash, useqq); | ||
+ maxdepth, sortkeys, use_sparse_seen_hash, useqq, | ||
+ maxrecurse); | ||
SvREFCNT_dec(namesv); | ||
} | ||
else if (realtype == SVt_PVAV) { | ||
@@ -767,7 +774,8 @@ DD_dump(pTHX_ SV *val, const char *name, | ||
DD_dump(aTHX_ elem, iname, ilen, retval, seenhv, postav, | ||
levelp, indent, pad, xpad, apad, sep, pair, | ||
freezer, toaster, purity, deepcopy, quotekeys, bless, | ||
- maxdepth, sortkeys, use_sparse_seen_hash, useqq); | ||
+ maxdepth, sortkeys, use_sparse_seen_hash, useqq, | ||
+ maxrecurse); | ||
if (ix < ixmax) | ||
sv_catpvn(retval, ",", 1); | ||
} | ||
@@ -970,7 +978,8 @@ DD_dump(pTHX_ SV *val, const char *name, | ||
DD_dump(aTHX_ hval, SvPVX_const(sname), SvCUR(sname), retval, seenhv, | ||
postav, levelp, indent, pad, xpad, newapad, sep, pair, | ||
freezer, toaster, purity, deepcopy, quotekeys, bless, | ||
- maxdepth, sortkeys, use_sparse_seen_hash, useqq); | ||
+ maxdepth, sortkeys, use_sparse_seen_hash, useqq, | ||
+ maxrecurse); | ||
SvREFCNT_dec(sname); | ||
Safefree(nkey_buffer); | ||
if (indent >= 2) | ||
@@ -1179,7 +1188,8 @@ DD_dump(pTHX_ SV *val, const char *name, | ||
seenhv, postav, &nlevel, indent, pad, xpad, | ||
newapad, sep, pair, freezer, toaster, purity, | ||
deepcopy, quotekeys, bless, maxdepth, | ||
- sortkeys, use_sparse_seen_hash, useqq); | ||
+ sortkeys, use_sparse_seen_hash, useqq, | ||
+ maxrecurse); | ||
SvREFCNT_dec(e); | ||
} | ||
} | ||
@@ -1269,6 +1279,7 @@ Data_Dumper_Dumpxs(href, ...) | ||
SV *val, *name, *pad, *xpad, *apad, *sep, *pair, *varname; | ||
SV *freezer, *toaster, *bless, *sortkeys; | ||
I32 purity, deepcopy, quotekeys, maxdepth = 0; | ||
+ IV maxrecurse = 1000; | ||
char tmpbuf[1024]; | ||
I32 gimme = GIMME; | ||
int use_sparse_seen_hash = 0; | ||
@@ -1355,6 +1366,8 @@ Data_Dumper_Dumpxs(href, ...) | ||
bless = *svp; | ||
if ((svp = hv_fetch(hv, "maxdepth", 8, FALSE))) | ||
maxdepth = SvIV(*svp); | ||
+ if ((svp = hv_fetch(hv, "maxrecurse", 10, FALSE))) | ||
+ maxrecurse = SvIV(*svp); | ||
if ((svp = hv_fetch(hv, "sortkeys", 8, FALSE))) { | ||
sortkeys = *svp; | ||
if (! SvTRUE(sortkeys)) | ||
@@ -1434,7 +1447,8 @@ Data_Dumper_Dumpxs(href, ...) | ||
DD_dump(aTHX_ val, SvPVX_const(name), SvCUR(name), valstr, seenhv, | ||
postav, &level, indent, pad, xpad, newapad, sep, pair, | ||
freezer, toaster, purity, deepcopy, quotekeys, | ||
- bless, maxdepth, sortkeys, use_sparse_seen_hash, useqq); | ||
+ bless, maxdepth, sortkeys, use_sparse_seen_hash, useqq, | ||
+ maxrecurse); | ||
SPAGAIN; | ||
|
||
if (indent >= 2 && !terse) |