* [PATCH 1/2] perl: fix CVE-2016-6185
@ 2016-09-21 5:38 mingli.yu
2016-09-21 5:38 ` [PATCH 2/2] perl: fix CVE-2015-8607 mingli.yu
2016-09-21 9:21 ` [PATCH 1/2] perl: fix CVE-2016-6185 Burton, Ross
0 siblings, 2 replies; 4+ messages in thread
From: mingli.yu @ 2016-09-21 5:38 UTC (permalink / raw)
To: openembedded-core
From: Mingli Yu <Mingli.Yu@windriver.com>
Backport patch to fix CVE-2016-6185 from perl upstream:
http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
---
.../perl/perl/perl-fix-CVE-2016-6185.patch | 127 +++++++++++++++++++++
meta/recipes-devtools/perl/perl_5.22.1.bb | 1 +
2 files changed, 128 insertions(+)
create mode 100644 meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch
diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch
new file mode 100644
index 0000000..b4acb9b
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch
@@ -0,0 +1,127 @@
+From 7cedaa8bc2ca9e63369d0e2d4c4c23af9febb93a Mon Sep 17 00:00:00 2001
+From: Father Chrysostomos <sprout@cpan.org>
+Date: Sat, 2 Jul 2016 22:56:51 -0700
+Subject: [PATCH] perl: fix CVE-2016-6185
+MIME-Version: 1.0
+
+Don't let XSLoader load relative paths
+
+[rt.cpan.org #115808]
+
+The logic in XSLoader for determining the library goes like this:
+
+ my $c = () = split(/::/,$caller,-1);
+ $modlibname =~ s,[\\/][^\\/]+$,, while $c--; # Q&D basename
+ my $file = "$modlibname/auto/$modpname/$modfname.bundle";
+
+(That last line varies by platform.)
+
+$caller is the calling package. $modlibname is the calling file. It
+removes as many path segments from $modlibname as there are segments
+in $caller. So if you have Foo/Bar/XS.pm calling XSLoader from the
+Foo::Bar package, the $modlibname will end up containing the path in
+@INC where XS.pm was found, followed by "/Foo". Usually the fallback
+to Dynaloader::bootstrap_inherit, which does an @INC search, makes
+things Just Work.
+
+But if our hypothetical Foo/Bar/XS.pm actually calls
+XSLoader::load from inside a string eval, then path ends up being
+"(eval 1)/auto/Foo/Bar/Bar.bundle".
+
+So if someone creates a directory named '(eval 1)' with a naughty
+binary file in it, it will be loaded if a script using Foo::Bar is run
+in the parent directory.
+
+This commit makes XSLoader fall back to Dynaloader's @INC search if
+the calling file has a relative path that is not found in @INC.
+
+Backport patch from http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7
+
+Upstream-Status: Backport
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ dist/XSLoader/XSLoader_pm.PL | 25 +++++++++++++++++++++++++
+ dist/XSLoader/t/XSLoader.t | 27 ++++++++++++++++++++++++++-
+ 2 files changed, 51 insertions(+), 1 deletion(-)
+
+diff --git a/dist/XSLoader/XSLoader_pm.PL b/dist/XSLoader/XSLoader_pm.PL
+index 668411d..778e46b 100644
+--- a/dist/XSLoader/XSLoader_pm.PL
++++ b/dist/XSLoader/XSLoader_pm.PL
+@@ -104,6 +104,31 @@ print OUT <<'EOT';
+ my $modpname = join('/',@modparts);
+ my $c = () = split(/::/,$caller,-1);
+ $modlibname =~ s,[\\/][^\\/]+$,, while $c--; # Q&D basename
++ # Does this look like a relative path?
++ if ($modlibname !~ m|^[\\/]|) {
++ # Someone may have a #line directive that changes the file name, or
++ # may be calling XSLoader::load from inside a string eval. We cer-
++ # tainly do not want to go loading some code that is not in @INC,
++ # as it could be untrusted.
++ #
++ # We could just fall back to DynaLoader here, but then the rest of
++ # this function would go untested in the perl core, since all @INC
++ # paths are relative during testing. That would be a time bomb
++ # waiting to happen, since bugs could be introduced into the code.
++ #
++ # So look through @INC to see if $modlibname is in it. A rela-
++ # tive $modlibname is not a common occurrence, so this block is
++ # not hot code.
++ FOUND: {
++ for (@INC) {
++ if ($_ eq $modlibname) {
++ last FOUND;
++ }
++ }
++ # Not found. Fall back to DynaLoader.
++ goto \&XSLoader::bootstrap_inherit;
++ }
++ }
+ EOT
+
+ my $dl_dlext = quotemeta($Config::Config{'dlext'});
+diff --git a/dist/XSLoader/t/XSLoader.t b/dist/XSLoader/t/XSLoader.t
+index 2ff11fe..1e86faa 100644
+--- a/dist/XSLoader/t/XSLoader.t
++++ b/dist/XSLoader/t/XSLoader.t
+@@ -33,7 +33,7 @@ my %modules = (
+ 'Time::HiRes'=> q| ::can_ok( 'Time::HiRes' => 'usleep' ) |, # 5.7.3
+ );
+
+-plan tests => keys(%modules) * 3 + 9;
++plan tests => keys(%modules) * 3 + 10;
+
+ # Try to load the module
+ use_ok( 'XSLoader' );
+@@ -125,3 +125,28 @@ XSLoader::load("Devel::Peek");
+ EOS
+ or ::diag $@;
+ }
++
++SKIP: {
++ skip "File::Path not available", 1
++ unless eval { require File::Path };
++ my $name = "phooo$$";
++ File::Path::make_path("$name/auto/Foo/Bar");
++ open my $fh,
++ ">$name/auto/Foo/Bar/Bar.$Config::Config{'dlext'}";
++ close $fh;
++ my $fell_back;
++ local *XSLoader::bootstrap_inherit = sub {
++ $fell_back++;
++ # Break out of the calling subs
++ goto the_test;
++ };
++ eval <<END;
++#line 1 $name
++package Foo::Bar;
++XSLoader::load("Foo::Bar");
++END
++ the_test:
++ ok $fell_back,
++ 'XSLoader will not load relative paths based on (caller)[1]';
++ File::Path::remove_tree($name);
++}
+--
+2.8.1
+
diff --git a/meta/recipes-devtools/perl/perl_5.22.1.bb b/meta/recipes-devtools/perl/perl_5.22.1.bb
index 04a2b6f..33cad9e 100644
--- a/meta/recipes-devtools/perl/perl_5.22.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.22.1.bb
@@ -66,6 +66,7 @@ SRC_URI += " \
file://perl-fix-conflict-between-skip_all-and-END.patch \
file://perl-test-customized.patch \
file://perl-fix-CVE-2016-2381.patch \
+ file://perl-fix-CVE-2016-6185.patch \
"
# Fix test case issues
--
2.8.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] perl: fix CVE-2015-8607
2016-09-21 5:38 [PATCH 1/2] perl: fix CVE-2016-6185 mingli.yu
@ 2016-09-21 5:38 ` mingli.yu
2016-09-21 9:21 ` [PATCH 1/2] perl: fix CVE-2016-6185 Burton, Ross
1 sibling, 0 replies; 4+ messages in thread
From: mingli.yu @ 2016-09-21 5:38 UTC (permalink / raw)
To: openembedded-core
From: Mingli Yu <Mingli.Yu@windriver.com>
Backport patch to fix CVE-2015-8607 from perl upstream:
http://perl5.git.perl.org/perl.git/commitdiff/0b6f93036de171c12ba95d415e264d9cf7f4e1fd
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
---
.../perl/perl/perl-fix-CVE-2015-8607.patch | 74 ++++++++++++++++++++++
meta/recipes-devtools/perl/perl_5.22.1.bb | 1 +
2 files changed, 75 insertions(+)
create mode 100644 meta/recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch
diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch
new file mode 100644
index 0000000..ca27ee6
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch
@@ -0,0 +1,74 @@
+From 652c8d4852a69f1bb4d387946f9b76350a1f0d0e Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 15 Dec 2015 10:56:54 +1100
+Subject: [PATCH] perl: fix CVE-2015-8607
+
+ensure File::Spec::canonpath() preserves taint
+
+Previously the unix specific XS implementation of canonpath() would
+return an untainted path when supplied a tainted path.
+
+For the empty string case, newSVpvs() already sets taint as needed on
+its result.
+
+This issue was assigned CVE-2015-8607. [perl #126862]
+
+Backport patch from http://perl5.git.perl.org/perl.git/commitdiff/0b6f93036de171c12ba95d415e264d9cf7f4e1fd
+
+Upstream-Status: Backport
+
+Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
+---
+ dist/PathTools/Cwd.xs | 1 +
+ dist/PathTools/t/taint.t | 19 ++++++++++++++++++-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs
+index 9d4dcf0..3d018dc 100644
+--- a/dist/PathTools/Cwd.xs
++++ b/dist/PathTools/Cwd.xs
+@@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path)
+ *o = 0;
+ SvPOK_on(retval);
+ SvCUR_set(retval, o - SvPVX(retval));
++ SvTAINT(retval);
+ return retval;
+ }
+
+diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t
+index 309b3e5..48f8c5b 100644
+--- a/dist/PathTools/t/taint.t
++++ b/dist/PathTools/t/taint.t
+@@ -12,7 +12,7 @@ use Test::More;
+ BEGIN {
+ plan(
+ ${^TAINT}
+- ? (tests => 17)
++ ? (tests => 21)
+ : (skip_all => "A perl without taint support")
+ );
+ }
+@@ -34,3 +34,20 @@ foreach my $func (@Functions) {
+
+ # Previous versions of Cwd tainted $^O
+ is !tainted($^O), 1, "\$^O should not be tainted";
++
++{
++ # [perl #126862] canonpath() loses taint
++ my $tainted = substr($ENV{PATH}, 0, 0);
++ # yes, getcwd()'s result should be tainted, and is tested above
++ # but be sure
++ ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)),
++ "canonpath() keeps taint on non-empty string";
++ ok tainted(File::Spec->canonpath($tainted)),
++ "canonpath() keeps taint on empty string";
++
++ (Cwd::getcwd() =~ /^(.*)/);
++ my $untainted = $1;
++ ok !tainted($untainted), "make sure our untainted value is untainted";
++ ok !tainted(File::Spec->canonpath($untainted)),
++ "canonpath() doesn't add taint to untainted string";
++}
+--
+2.8.1
+
diff --git a/meta/recipes-devtools/perl/perl_5.22.1.bb b/meta/recipes-devtools/perl/perl_5.22.1.bb
index 33cad9e..b904674 100644
--- a/meta/recipes-devtools/perl/perl_5.22.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.22.1.bb
@@ -67,6 +67,7 @@ SRC_URI += " \
file://perl-test-customized.patch \
file://perl-fix-CVE-2016-2381.patch \
file://perl-fix-CVE-2016-6185.patch \
+ file://perl-fix-CVE-2015-8607.patch \
"
# Fix test case issues
--
2.8.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] perl: fix CVE-2016-6185
2016-09-21 5:38 [PATCH 1/2] perl: fix CVE-2016-6185 mingli.yu
2016-09-21 5:38 ` [PATCH 2/2] perl: fix CVE-2015-8607 mingli.yu
@ 2016-09-21 9:21 ` Burton, Ross
2016-09-21 9:42 ` Yu, Mingli
1 sibling, 1 reply; 4+ messages in thread
From: Burton, Ross @ 2016-09-21 9:21 UTC (permalink / raw)
To: Mingli Yu; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 434 bytes --]
On 21 September 2016 at 06:38, <mingli.yu@windriver.com> wrote:
> From: Mingli Yu <Mingli.Yu@windriver.com>
>
> Backport patch to fix CVE-2016-6185 from perl upstream:
> http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7
>
> Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
>
Can you please add CVE: tags to the patches alongside the upstream-status
and s-o-b, so that the automated CVE tooling can work?
Ross
[-- Attachment #2: Type: text/html, Size: 1061 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] perl: fix CVE-2016-6185
2016-09-21 9:21 ` [PATCH 1/2] perl: fix CVE-2016-6185 Burton, Ross
@ 2016-09-21 9:42 ` Yu, Mingli
0 siblings, 0 replies; 4+ messages in thread
From: Yu, Mingli @ 2016-09-21 9:42 UTC (permalink / raw)
To: Burton, Ross; +Cc: OE-core
On 2016年09月21日 17:21, Burton, Ross wrote:
>
> On 21 September 2016 at 06:38, <mingli.yu@windriver.com
> <mailto:mingli.yu@windriver.com>> wrote:
>
> From: Mingli Yu <Mingli.Yu@windriver.com
> <mailto:Mingli.Yu@windriver.com>>
>
> Backport patch to fix CVE-2016-6185 from perl upstream:
> http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7
> <http://perl5.git.perl.org/perl.git/commitdiff/08e3451d7>
>
> Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com
> <mailto:Mingli.Yu@windriver.com>>
>
>
> Can you please add CVE: tags to the patches alongside the
> upstream-status and s-o-b, so that the automated CVE tooling can work?
Will resend the v2 patch to add CVE tags.
Thanks,
Mingli
>
> Ross
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-09-21 9:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-21 5:38 [PATCH 1/2] perl: fix CVE-2016-6185 mingli.yu
2016-09-21 5:38 ` [PATCH 2/2] perl: fix CVE-2015-8607 mingli.yu
2016-09-21 9:21 ` [PATCH 1/2] perl: fix CVE-2016-6185 Burton, Ross
2016-09-21 9:42 ` Yu, Mingli
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.