* [PATCH 1/2] perl: fix CVE-2017-12883
@ 2017-10-17 6:05 Hongxu Jia
2017-10-17 6:05 ` [PATCH 2/2] perl: fix CVE-2017-12837 Hongxu Jia
2017-10-17 6:30 ` ✗ patchtest: failure for "perl: fix CVE-2017-12883..." and 1 more Patchwork
0 siblings, 2 replies; 3+ messages in thread
From: Hongxu Jia @ 2017-10-17 6:05 UTC (permalink / raw)
To: openembedded-core, ross.burton
The cause of this is that the vFAIL macro uses RExC_parse, and that
variable has just been changed in preparation for code after the vFAIL.
The solution is to not change RExC_parse until after the vFAIL.
This is a case where the macro hides stuff that can bite you.
https://perl5.git.perl.org/perl.git/commit/2be4edede4ae226e2eebd4eff28cedd2041f300f
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
.../perl/perl/perl-fix-CVE-2017-12883.patch | 51 ++++++++++++++++++++++
meta/recipes-devtools/perl/perl_5.24.1.bb | 1 +
2 files changed, 52 insertions(+)
create mode 100644 meta/recipes-devtools/perl/perl/perl-fix-CVE-2017-12883.patch
diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2017-12883.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2017-12883.patch
new file mode 100644
index 0000000..c58744f
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2017-12883.patch
@@ -0,0 +1,51 @@
+From a2b6b82e5eea300a33f148ee5201373726f9f26c Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Tue, 17 Oct 2017 13:36:05 +0800
+Subject: [PATCH] fix CVE-2017-12883
+
+PATCH: [perl #131598]
+
+The cause of this is that the vFAIL macro uses RExC_parse, and that
+variable has just been changed in preparation for code after the vFAIL.
+The solution is to not change RExC_parse until after the vFAIL.
+
+This is a case where the macro hides stuff that can bite you.
+
+Signed-off-by: Karl Williamson <khw@cpan.org>
+Signed-off-by: Steve Hay <steve.m.hay@googlemail.com>
+
+Upstream-Status: Backport
+https://perl5.git.perl.org/perl.git/commit/2be4edede4ae226e2eebd4eff28cedd2041f300f
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ regcomp.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/regcomp.c b/regcomp.c
+index be6cb96..5498d14 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -11918,14 +11918,17 @@ S_grok_bslash_N(pTHX_ RExC_state_t *pRExC_state,
+ }
+ sv_catpv(substitute_parse, ")");
+
+- RExC_parse = RExC_start = RExC_adjusted_start = SvPV(substitute_parse,
+- len);
++ len = SvCUR(substitute_parse);
+
+ /* Don't allow empty number */
+ if (len < (STRLEN) 8) {
+ RExC_parse = endbrace;
+ vFAIL("Invalid hexadecimal number in \\N{U+...}");
+ }
++
++ RExC_parse = RExC_start = RExC_adjusted_start
++ = SvPV_nolen(substitute_parse);
++
+ RExC_end = RExC_parse + len;
+
+ /* The values are Unicode, and therefore not subject to recoding, but
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb
index b55d222..93420f1 100644
--- a/meta/recipes-devtools/perl/perl_5.24.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -65,6 +65,7 @@ SRC_URI += " \
file://perl-errno-generation-gcc5.patch \
file://perl-fix-conflict-between-skip_all-and-END.patch \
file://perl-test-customized.patch \
+ file://perl-fix-CVE-2017-12883.patch \
"
# Fix test case issues
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] perl: fix CVE-2017-12837
2017-10-17 6:05 [PATCH 1/2] perl: fix CVE-2017-12883 Hongxu Jia
@ 2017-10-17 6:05 ` Hongxu Jia
2017-10-17 6:30 ` ✗ patchtest: failure for "perl: fix CVE-2017-12883..." and 1 more Patchwork
1 sibling, 0 replies; 3+ messages in thread
From: Hongxu Jia @ 2017-10-17 6:05 UTC (permalink / raw)
To: openembedded-core, ross.burton
https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
.../perl/perl/perl-fix-CVE-2017-12837.patch | 31 ++++++++++++++++++++++
meta/recipes-devtools/perl/perl_5.24.1.bb | 1 +
2 files changed, 32 insertions(+)
create mode 100644 meta/recipes-devtools/perl/perl/perl-fix-CVE-2017-12837.patch
diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2017-12837.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2017-12837.patch
new file mode 100644
index 0000000..8f874d7
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2017-12837.patch
@@ -0,0 +1,31 @@
+From 73d7247ecab863ef26b5687a37ccc75d6144ad0f Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Tue, 17 Oct 2017 13:49:14 +0800
+Subject: [PATCH] fix CVE-2017-12837
+
+Signed-off-by: Karl Williamson <khw@cpan.org>
+Signed-off-by: Steve Hay <steve.m.hay@googlemail.com>
+
+Upstream-Status: Backport
+https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ regcomp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/regcomp.c b/regcomp.c
+index 5498d14..31ec383 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -13021,6 +13021,7 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth)
+ goto loopdone;
+ }
+ p = RExC_parse;
++ RExC_parse = parse_start;
+ if (ender > 0xff) {
+ REQUIRE_UTF8(flagp);
+ }
+--
+1.8.3.1
+
diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb
index 93420f1..363bc94 100644
--- a/meta/recipes-devtools/perl/perl_5.24.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -66,6 +66,7 @@ SRC_URI += " \
file://perl-fix-conflict-between-skip_all-and-END.patch \
file://perl-test-customized.patch \
file://perl-fix-CVE-2017-12883.patch \
+ file://perl-fix-CVE-2017-12837.patch \
"
# Fix test case issues
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* ✗ patchtest: failure for "perl: fix CVE-2017-12883..." and 1 more
2017-10-17 6:05 [PATCH 1/2] perl: fix CVE-2017-12883 Hongxu Jia
2017-10-17 6:05 ` [PATCH 2/2] perl: fix CVE-2017-12837 Hongxu Jia
@ 2017-10-17 6:30 ` Patchwork
1 sibling, 0 replies; 3+ messages in thread
From: Patchwork @ 2017-10-17 6:30 UTC (permalink / raw)
To: Hongxu Jia; +Cc: openembedded-core
== Series Details ==
Series: "perl: fix CVE-2017-12883..." and 1 more
Revision: 1
URL : https://patchwork.openembedded.org/series/9373/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Patch [1/2] perl: fix CVE-2017-12883
Issue Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format]
Suggested fix Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-10-17 6:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-17 6:05 [PATCH 1/2] perl: fix CVE-2017-12883 Hongxu Jia
2017-10-17 6:05 ` [PATCH 2/2] perl: fix CVE-2017-12837 Hongxu Jia
2017-10-17 6:30 ` ✗ patchtest: failure for "perl: fix CVE-2017-12883..." and 1 more Patchwork
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.