diff --git a/SOURCES/perl-5.16.3-CVE-2020-10543.patch b/SOURCES/perl-5.16.3-CVE-2020-10543.patch new file mode 100644 index 0000000..fca36ea --- /dev/null +++ b/SOURCES/perl-5.16.3-CVE-2020-10543.patch @@ -0,0 +1,72 @@ +From dd88eabcdaecfe56bd4dd50fcb557ad59bed4855 Mon Sep 17 00:00:00 2001 +From: Jitka Plesnikova +Date: Thu, 7 Jan 2021 12:50:21 +0100 +Subject: [PATCH] regcomp.c: Prevent integer overflow from nested regex + quantifiers. + +(CVE-2020-10543) On 32bit systems the size calculations for nested regular +expression quantifiers could overflow causing heap memory corruption. +--- + AUTHORS | 1 + + perl.h | 2 ++ + regcomp.c | 6 ++++++ + t/re/pat.t | 1 + + 4 files changed, 10 insertions(+) + +diff --git a/AUTHORS b/AUTHORS +index 9589b5b..b69783a 100644 +--- a/AUTHORS ++++ b/AUTHORS +@@ -558,6 +558,7 @@ John Holdsworth + John Hughes + John Kristian + John L. Allen ++John Lightsey + John Macdonald + John Malmberg + John Nolan +diff --git a/perl.h b/perl.h +index e532af2..9806c58 100644 +--- a/perl.h ++++ b/perl.h +@@ -1758,6 +1758,8 @@ typedef UVTYPE UV; + # endif + #endif + ++#define SSize_t_MAX (SSize_t)(~(size_t)0 >> 1) ++ + #ifndef HAS_QUAD + # undef PERL_NEED_MY_HTOLE64 + # undef PERL_NEED_MY_LETOH64 +diff --git a/regcomp.c b/regcomp.c +index 57505f3..a02c296 100644 +--- a/regcomp.c ++++ b/regcomp.c +@@ -3848,6 +3848,12 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + "Quantifier unexpected on zero-length expression"); + } + ++ if ( ( minnext > 0 && mincount >= SSize_t_MAX / minnext ) ++ || min >= SSize_t_MAX - minnext * mincount ) ++ { ++ FAIL("Regexp out of space"); ++ } ++ + min += minnext * mincount; + is_inf_internal |= ((maxcount == REG_INFTY + && (minnext + deltanext) > 0) +diff --git a/t/re/pat.t b/t/re/pat.t +index e328fbd..214a14b 100644 +--- a/t/re/pat.t ++++ b/t/re/pat.t +@@ -16,6 +16,7 @@ $| = 1; + BEGIN { + chdir 't' if -d 't'; + @INC = ('../lib','.'); ++ require Config; import Config; + require './test.pl'; + } + +-- +2.26.2 + diff --git a/SOURCES/perl-5.16.3-CVE-2020-10878.patch b/SOURCES/perl-5.16.3-CVE-2020-10878.patch new file mode 100644 index 0000000..0e81d84 --- /dev/null +++ b/SOURCES/perl-5.16.3-CVE-2020-10878.patch @@ -0,0 +1,147 @@ +From af92b565250adce354d1af936c0013d0175a5b81 Mon Sep 17 00:00:00 2001 +From: Jitka Plesnikova +Date: Mon, 1 Jun 2020 18:33:56 +0200 +Subject: [PATCH 4/4] study_chunk: extract rck_elide_nothing + +(CVE-2020-10878) +--- + embed.fnc | 1 + + embed.h | 1 + + proto.h | 4 ++++ + regcomp.c | 70 ++++++++++++++++++++++++++++++++++--------------------- + 4 files changed, 49 insertions(+), 27 deletions(-) + +diff --git a/embed.fnc b/embed.fnc +index 9546555..aa6c886 100644 +--- a/embed.fnc ++++ b/embed.fnc +@@ -1952,6 +1952,7 @@ Es |I32 |study_chunk |NN struct RExC_state_t *pRExC_state \ + |I32 stopparen|NULLOK U8* recursed \ + |NULLOK struct regnode_charclass_class *and_withp \ + |U32 flags|U32 depth|bool was_mutate_ok ++Es |void |rck_elide_nothing|NN regnode *node + EsRn |U32 |add_data |NN struct RExC_state_t *pRExC_state|U32 n \ + |NN const char *s + rs |void |re_croak2 |NN const char* pat1|NN const char* pat2|... +diff --git a/embed.h b/embed.h +index f7db1e0..555538d 100644 +--- a/embed.h ++++ b/embed.h +@@ -933,6 +933,7 @@ + #define make_trie(a,b,c,d,e,f,g,h) S_make_trie(aTHX_ a,b,c,d,e,f,g,h) + #define make_trie_failtable(a,b,c,d) S_make_trie_failtable(aTHX_ a,b,c,d) + #define nextchar(a) S_nextchar(aTHX_ a) ++#define rck_elide_nothing(a) S_rck_elide_nothing(aTHX_ a) + #define reg(a,b,c,d) S_reg(aTHX_ a,b,c,d) + #define reg_namedseq(a,b,c,d) S_reg_namedseq(aTHX_ a,b,c,d) + #define reg_node(a,b) S_reg_node(aTHX_ a,b) +diff --git a/proto.h b/proto.h +index 143eee0..d7cba26 100644 +--- a/proto.h ++++ b/proto.h +@@ -6477,6 +6477,10 @@ STATIC char * S_nextchar(pTHX_ struct RExC_state_t *pRExC_state) + #define PERL_ARGS_ASSERT_NEXTCHAR \ + assert(pRExC_state) + ++STATIC void S_rck_elide_nothing(pTHX_ regnode *node); ++#define PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING \ ++ assert(node) ++ + STATIC void S_re_croak2(pTHX_ const char* pat1, const char* pat2, ...) + __attribute__noreturn__ + __attribute__nonnull__(pTHX_1) +diff --git a/regcomp.c b/regcomp.c +index 9842a83..aa96980 100644 +--- a/regcomp.c ++++ b/regcomp.c +@@ -2967,6 +2967,43 @@ case N ## nAmE: \ + break + + ++/* Follow the next-chain of the current node and optimize away ++ all the NOTHINGs from it. ++ */ ++STATIC void ++S_rck_elide_nothing(pTHX_ regnode *node) ++{ ++ dVAR; ++ ++ PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING; ++ ++ if (OP(node) != CURLYX) { ++ const int max = (reg_off_by_arg[OP(node)] ++ ? I32_MAX ++ /* I32 may be smaller than U16 on CRAYs! */ ++ : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX)); ++ int off = (reg_off_by_arg[OP(node)] ? ARG(node) : NEXT_OFF(node)); ++ int noff; ++ regnode *n = node; ++ ++ /* Skip NOTHING and LONGJMP. */ ++ while ( ++ (n = regnext(n)) ++ && ( ++ (PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n))) ++ || ((OP(n) == LONGJMP) && (noff = ARG(n))) ++ ) ++ && off + noff < max ++ ) { ++ off += noff; ++ } ++ if (reg_off_by_arg[OP(node)]) ++ ARG(node) = off; ++ else ++ NEXT_OFF(node) = off; ++ } ++ return; ++} + + STATIC I32 + S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, +@@ -3034,27 +3071,9 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + + + /* Follow the next-chain of the current node and optimize +- away all the NOTHINGs from it. */ +- if (OP(scan) != CURLYX) { +- const int max = (reg_off_by_arg[OP(scan)] +- ? I32_MAX +- /* I32 may be smaller than U16 on CRAYs! */ +- : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX)); +- int off = (reg_off_by_arg[OP(scan)] ? ARG(scan) : NEXT_OFF(scan)); +- int noff; +- regnode *n = scan; +- +- /* Skip NOTHING and LONGJMP. */ +- while ((n = regnext(n)) +- && ((PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n))) +- || ((OP(n) == LONGJMP) && (noff = ARG(n)))) +- && off + noff < max) +- off += noff; +- if (reg_off_by_arg[OP(scan)]) +- ARG(scan) = off; +- else +- NEXT_OFF(scan) = off; +- } ++ away all the NOTHINGs from it. ++ */ ++ rck_elide_nothing(scan); + + + +@@ -4057,11 +4094,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + if (data && (fl & SF_HAS_EVAL)) + data->flags |= SF_HAS_EVAL; + optimize_curly_tail: +- if (OP(oscan) != CURLYX) { +- while (PL_regkind[OP(next = regnext(oscan))] == NOTHING +- && NEXT_OFF(next)) +- NEXT_OFF(oscan) += NEXT_OFF(next); +- } ++ rck_elide_nothing(oscan); + continue; + default: /* REF, ANYOFV, and CLUMP only? */ + if (flags & SCF_DO_SUBSTR) { +-- +2.25.4 + diff --git a/SOURCES/perl-5.16.3-CVE-2020-12723.patch b/SOURCES/perl-5.16.3-CVE-2020-12723.patch new file mode 100644 index 0000000..8354da5 --- /dev/null +++ b/SOURCES/perl-5.16.3-CVE-2020-12723.patch @@ -0,0 +1,270 @@ +From d6f7a97d2c1dfcedd728d8b2ac1a07e953922950 Mon Sep 17 00:00:00 2001 +From: Hugo van der Sanden +Date: Fri, 18 Dec 2020 14:55:16 +0100 +Subject: [PATCH] study_chunk: avoid mutating regexp program within GOSUB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +gh16947 and gh17743: studying GOSUB may restudy in an inner call +(via a mix of recursion and enframing) something that an outer call +is in the middle of looking at. Let the outer frame deal with it. + +(CVE-2020-12723) + +Jitka Plesnikova, Petr Pisar: Ported from +3f4ba871d2d397dcd4386ed75e05353c36135c29 to 5.16.3. + +Signed-off-by: Petr Písař +--- + embed.fnc | 2 +- + embed.h | 2 +- + proto.h | 2 +- + regcomp.c | 42 ++++++++++++++++++++++++++++++------------ + t/re/pat.t | 26 +++++++++++++++++++++++++- + 5 files changed, 58 insertions(+), 16 deletions(-) + +diff --git a/embed.fnc b/embed.fnc +index 9546555..019afa9 100644 +--- a/embed.fnc ++++ b/embed.fnc +@@ -1951,7 +1951,7 @@ Es |I32 |study_chunk |NN struct RExC_state_t *pRExC_state \ + |NULLOK struct scan_data_t *data \ + |I32 stopparen|NULLOK U8* recursed \ + |NULLOK struct regnode_charclass_class *and_withp \ +- |U32 flags|U32 depth ++ |U32 flags|U32 depth|bool was_mutate_ok + EsRn |U32 |add_data |NN struct RExC_state_t *pRExC_state|U32 n \ + |NN const char *s + rs |void |re_croak2 |NN const char* pat1|NN const char* pat2|... +diff --git a/embed.h b/embed.h +index f7db1e0..75f326e 100644 +--- a/embed.h ++++ b/embed.h +@@ -952,7 +952,7 @@ + #define scan_commit(a,b,c,d) S_scan_commit(aTHX_ a,b,c,d) + #define set_regclass_bit(a,b,c,d,e) S_set_regclass_bit(aTHX_ a,b,c,d,e) + #define set_regclass_bit_fold(a,b,c,d,e) S_set_regclass_bit_fold(aTHX_ a,b,c,d,e) +-#define study_chunk(a,b,c,d,e,f,g,h,i,j,k) S_study_chunk(aTHX_ a,b,c,d,e,f,g,h,i,j,k) ++#define study_chunk(a,b,c,d,e,f,g,h,i,j,k,l) S_study_chunk(aTHX_ a,b,c,d,e,f,g,h,i,j,k,l) + # endif + # if defined(PERL_IN_REGCOMP_C) || defined(PERL_IN_REGEXEC_C) || defined(PERL_IN_UTF8_C) + #define _core_swash_init(a,b,c,d,e,f,g,h) Perl__core_swash_init(aTHX_ a,b,c,d,e,f,g,h) +diff --git a/proto.h b/proto.h +index 143eee0..1b2ece6 100644 +--- a/proto.h ++++ b/proto.h +@@ -6597,7 +6597,7 @@ STATIC U8 S_set_regclass_bit_fold(pTHX_ struct RExC_state_t *pRExC_state, regnod + #define PERL_ARGS_ASSERT_SET_REGCLASS_BIT_FOLD \ + assert(pRExC_state); assert(node); assert(invlist_ptr); assert(alternate_ptr) + +-STATIC I32 S_study_chunk(pTHX_ struct RExC_state_t *pRExC_state, regnode **scanp, I32 *minlenp, I32 *deltap, regnode *last, struct scan_data_t *data, I32 stopparen, U8* recursed, struct regnode_charclass_class *and_withp, U32 flags, U32 depth) ++STATIC I32 S_study_chunk(pTHX_ struct RExC_state_t *pRExC_state, regnode **scanp, I32 *minlenp, I32 *deltap, regnode *last, struct scan_data_t *data, I32 stopparen, U8* recursed, struct regnode_charclass_class *and_withp, U32 flags, U32 depth, bool was_mutate_ok) + __attribute__nonnull__(pTHX_1) + __attribute__nonnull__(pTHX_2) + __attribute__nonnull__(pTHX_3) +diff --git a/regcomp.c b/regcomp.c +index 2254159..57505f3 100644 +--- a/regcomp.c ++++ b/regcomp.c +@@ -2934,6 +2934,7 @@ typedef struct scan_frame { + regnode *next; /* next node to process when last is reached */ + struct scan_frame *prev; /*previous frame*/ + I32 stop; /* what stopparen do we use */ ++ bool in_gosub; /* this or an outer frame is for GOSUB */ + } scan_frame; + + +@@ -2975,7 +2976,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + I32 stopparen, + U8* recursed, + struct regnode_charclass_class *and_withp, +- U32 flags, U32 depth) ++ U32 flags, U32 depth, bool was_mutate_ok) + /* scanp: Start here (read-write). */ + /* deltap: Write maxlen-minlen here. */ + /* last: Stop before this one. */ +@@ -3016,6 +3017,11 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + length to get a real minimum (because the + folded version may be shorter) */ + bool has_exactf_sharp_s = FALSE; ++ /* avoid mutating ops if we are anywhere within the recursed or ++ * enframed handling for a GOSUB: the outermost level will handle it. ++ */ ++ bool mutate_ok = was_mutate_ok && !(frame && frame->in_gosub); ++ + /* Peephole optimizer: */ + DEBUG_STUDYDATA("Peep:", data,depth); + DEBUG_PEEP("Peep",scan,depth); +@@ -3023,7 +3029,9 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + /* Its not clear to khw or hv why this is done here, and not in the + * clauses that deal with EXACT nodes. khw's guess is that it's + * because of a previous design */ +- JOIN_EXACT(scan,&min_subtract, &has_exactf_sharp_s, 0); ++ if (mutate_ok) ++ JOIN_EXACT(scan,&min_subtract, &has_exactf_sharp_s, 0); ++ + + /* Follow the next-chain of the current node and optimize + away all the NOTHINGs from it. */ +@@ -3100,7 +3108,8 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + /* we suppose the run is continuous, last=next...*/ + minnext = study_chunk(pRExC_state, &scan, minlenp, &deltanext, + next, &data_fake, +- stopparen, recursed, NULL, f,depth+1); ++ stopparen, recursed, NULL, f,depth+1, ++ mutate_ok); + if (min1 > minnext) + min1 = minnext; + if (max1 < minnext + deltanext) +@@ -3161,7 +3170,10 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + } + } + +- if (PERL_ENABLE_TRIE_OPTIMISATION && OP( startbranch ) == BRANCH ) { ++ if (PERL_ENABLE_TRIE_OPTIMISATION ++ && OP( startbranch ) == BRANCH ++ && mutate_ok) { ++ + /* demq. + + Assuming this was/is a branch we are dealing with: 'scan' now +@@ -3481,6 +3493,9 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + newframe->last = last; + newframe->stop = stopparen; + newframe->prev = frame; ++ newframe->in_gosub = ( ++ (frame && frame->in_gosub) || (OP(scan) == GOSUB || OP(scan) == GOSTART) ++ ); + + frame = newframe; + scan = start; +@@ -3792,7 +3807,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + minnext = study_chunk(pRExC_state, &scan, minlenp, &deltanext, + last, data, stopparen, recursed, NULL, + (mincount == 0 +- ? (f & ~SCF_DO_SUBSTR) : f),depth+1); ++ ? (f & ~SCF_DO_SUBSTR) : f),depth+1,mutate_ok); + + if (flags & SCF_DO_STCLASS) + data->start_class = oclass; +@@ -3844,7 +3859,9 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + if ( OP(oscan) == CURLYX && data + && data->flags & SF_IN_PAR + && !(data->flags & SF_HAS_EVAL) +- && !deltanext && minnext == 1 ) { ++ && !deltanext && minnext == 1 ++ && mutate_ok ++ ) { + /* Try to optimize to CURLYN. */ + regnode *nxt = NEXTOPER(oscan) + EXTRA_STEP_2ARGS; + regnode * const nxt1 = nxt; +@@ -3890,6 +3907,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + && !(data->flags & SF_HAS_EVAL) + && !deltanext /* atom is fixed width */ + && minnext != 0 /* CURLYM can't handle zero width */ ++ && mutate_ok + ) { + /* XXXX How to optimize if data == 0? */ + /* Optimize to a simpler form. */ +@@ -3936,7 +3954,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + #endif + /* Optimize again: */ + study_chunk(pRExC_state, &nxt1, minlenp, &deltanext, nxt, +- NULL, stopparen, recursed, NULL, 0,depth+1); ++ NULL, stopparen, recursed, NULL, 0,depth+1,mutate_ok); + } + else + oscan->flags = 0; +@@ -4376,7 +4394,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + next = regnext(scan); + nscan = NEXTOPER(NEXTOPER(scan)); + minnext = study_chunk(pRExC_state, &nscan, minlenp, &deltanext, +- last, &data_fake, stopparen, recursed, NULL, f, depth+1); ++ last, &data_fake, stopparen, recursed, NULL, f, depth+1,mutate_ok); + if (scan->flags) { + if (deltanext) { + FAIL("Variable length lookbehind not implemented"); +@@ -4462,7 +4480,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + nscan = NEXTOPER(NEXTOPER(scan)); + + *minnextp = study_chunk(pRExC_state, &nscan, minnextp, &deltanext, +- last, &data_fake, stopparen, recursed, NULL, f,depth+1); ++ last, &data_fake, stopparen, recursed, NULL, f,depth+1,mutate_ok); + if (scan->flags) { + if (deltanext) { + FAIL("Variable length lookbehind not implemented"); +@@ -4625,7 +4643,7 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, + */ + minnext = study_chunk(pRExC_state, &scan, minlenp, + &deltanext, (regnode *)nextbranch, &data_fake, +- stopparen, recursed, NULL, f,depth+1); ++ stopparen, recursed, NULL, f,depth+1,mutate_ok); + } + if (nextbranch && PL_regkind[OP(nextbranch)]==BRANCH) + nextbranch= regnext((regnode*)nextbranch); +@@ -5442,7 +5460,7 @@ reStudy: + + minlen = study_chunk(pRExC_state, &first, &minlen, &fake, scan + RExC_size, /* Up to end */ + &data, -1, NULL, NULL, +- SCF_DO_SUBSTR | SCF_WHILEM_VISITED_POS | stclass_flag,0); ++ SCF_DO_SUBSTR | SCF_WHILEM_VISITED_POS | stclass_flag,0,TRUE); + + + CHECK_RESTUDY_GOTO; +@@ -5627,7 +5645,7 @@ reStudy: + + + minlen = study_chunk(pRExC_state, &scan, &minlen, &fake, scan + RExC_size, +- &data, -1, NULL, NULL, SCF_DO_STCLASS_AND|SCF_WHILEM_VISITED_POS,0); ++ &data, -1, NULL, NULL, SCF_DO_STCLASS_AND|SCF_WHILEM_VISITED_POS,0,TRUE); + + CHECK_RESTUDY_GOTO; + +diff --git a/t/re/pat.t b/t/re/pat.t +index faddbc5..e328fbd 100644 +--- a/t/re/pat.t ++++ b/t/re/pat.t +@@ -19,7 +19,7 @@ BEGIN { + require './test.pl'; + } + +-plan tests => 472; # Update this when adding/deleting tests. ++plan tests => 476; # Update this when adding/deleting tests. + + run_tests() unless caller; + +@@ -1260,6 +1260,30 @@ EOP + use re '/aa'; + unlike 'k', qr/(?i:\N{KELVIN SIGN})/, "(?i: shouldn't lose the passed in /aa"; + } ++ # gh16947: test regexp corruption (GOSUB) ++ { ++ fresh_perl_is(q{ ++ 'xy' =~ /x(?0)|x(?|y|y)/ && print 'ok' ++ }, 'ok', {}, 'gh16947: test regexp corruption (GOSUB)'); ++ } ++ # gh16947: test fix doesn't break SUSPEND ++ { ++ fresh_perl_is(q{ 'sx' =~ m{ss++}i; print 'ok' }, ++ 'ok', {}, "gh16947: test fix doesn't break SUSPEND"); ++ } ++ ++ # gh17743: more regexp corruption via GOSUB ++ { ++ fresh_perl_is(q{ ++ "0" =~ /((0(?0)|000(?|0000|0000)(?0))|)/; print "ok" ++ }, 'ok', {}, 'gh17743: test regexp corruption (1)'); ++ ++ fresh_perl_is(q{ ++ "000000000000" =~ /(0(())(0((?0)())|000(?|\x{ef}\x{bf}\x{bd}|\x{ef}\x{bf}\x{bd}))|)/; ++ print "ok" ++ }, 'ok', {}, 'gh17743: test regexp corruption (2)'); ++ } ++ + } # End of sub run_tests + + 1; +-- +2.26.2 + diff --git a/SPECS/perl.spec b/SPECS/perl.spec index f21be92..38026bc 100644 --- a/SPECS/perl.spec +++ b/SPECS/perl.spec @@ -31,7 +31,7 @@ Name: perl Version: %{perl_version} # release number must be even higher, because dual-lived modules will be broken otherwise -Release: 297%{?dist} +Release: 299%{?dist} Epoch: %{perl_epoch} Summary: Practical Extraction and Report Language Group: Development/Languages @@ -190,6 +190,18 @@ Patch45: perl-5.19.4-Fix-day-of-year-parsing.patch # in upstream after 5.29.1, in dual-life package after 1.26 Patch46: perl-5.16.3-RT-124787-Fix-Time-Local-tests.patch +# Fix CVE-2020-12723, bug #1839278, GH#16947, fixed in upstream 5.28.3, ported from +# upstream 3f4ba871d2d397dcd4386ed75e05353c36135c29. +Patch47: perl-5.16.3-CVE-2020-12723.patch + +# Fix CVE-2020-10543, bug #1839272, fixed in upstream 5.28.3, ported from +# upstream 1aef74e6bc0269fcd6ad7669fcd58488ffaf736f. +Patch48: perl-5.16.3-CVE-2020-10543.patch + +# Fix CVE-2020-10878, bug #1839275, fixed in upstream 5.28.3, ported from +# upstream 011cd8913d3a230b8d30b156b848585c7c4c1597. +Patch49: perl-5.16.3-CVE-2020-10878.patch + # Update some of the bundled modules # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions @@ -1995,6 +2007,9 @@ tarball from perl.org. %patch44 -p1 %patch45 -p1 %patch46 -p1 +%patch47 -p1 +%patch48 -p1 +%patch49 -p1 %if !%{defined perl_bootstrap} # Local patch tracking @@ -2042,6 +2057,9 @@ perl -x patchlevel.h \ 'RHEL Patch43: Fix CVE-2018-18311 Integer overflow leading to buffer overflow' \ 'RHEL Patch44: Fix a spurious timeout in Net::FTP::close (CPAN RT#18504)' \ 'RHEL Patch45: Fix day of year parsing (CPAN RT#88211)' \ + 'RHEL Patch47: Fix CVE-2020-12723 (GH#16947)' \ + 'RHEL Patch48: Fix CVE-2020-10543' \ + 'RHEL Patch49: Fix CVE-2020-10878' \ %{nil} %endif @@ -3724,6 +3742,13 @@ sed \ # Old changelog entries are preserved in CVS. %changelog +* Thu Jan 07 2021 Jitka Plesnikova - 4:5.16.3-299 +- Fix CVE-2020-10543 (bug #1839272) +- Fix CVE-2020-10878 (bug #1839275) + +* Fri Dec 18 2020 Petr Pisar - 4:5.16.3-298 +- Fix CVE-2020-12723 (bug #1839278) + * Mon Feb 24 2020 Petr Pisar - 4:5.16.3-297 - Fix a file mode of a perl-example.stp example (bug #1806523)