From 2c161b24faa0cbf046c1424db8125a02f8aa7305 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 23 2018 06:26:47 +0000 Subject: import rh-perl524-perl-5.24.0-380.el7 --- diff --git a/SOURCES/perl-5.24.0-fix-TRIE_READ_CHAR-and-DECL_TRIE_TYPE-to-acco.patch b/SOURCES/perl-5.24.0-fix-TRIE_READ_CHAR-and-DECL_TRIE_TYPE-to-acco.patch new file mode 100644 index 0000000..44d28d0 --- /dev/null +++ b/SOURCES/perl-5.24.0-fix-TRIE_READ_CHAR-and-DECL_TRIE_TYPE-to-acco.patch @@ -0,0 +1,84 @@ +From 1a076cf2730d3a1fbb174af6f56c554691f4cdc3 Mon Sep 17 00:00:00 2001 +From: Yves Orton +Date: Mon, 19 Feb 2018 13:49:46 +1100 +Subject: [PATCH] v5.24.3: fix TRIE_READ_CHAR and DECL_TRIE_TYPE to account for + non-utf8 target +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Petr Pisar: Ported to 5.24.0. + +Signed-off-by: Petr Písař +--- + regexec.c | 14 ++++++++++---- + t/re/re_tests | 1 + + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/regexec.c b/regexec.c +index 3fd12c4..05e148f 100644 +--- a/regexec.c ++++ b/regexec.c +@@ -1451,7 +1451,7 @@ Perl_re_intuit_start(pTHX_ + #define DECL_TRIE_TYPE(scan) \ + const enum { trie_plain, trie_utf8, trie_utf8_fold, trie_latin_utf8_fold, \ + trie_utf8_exactfa_fold, trie_latin_utf8_exactfa_fold, \ +- trie_utf8l, trie_flu8 } \ ++ trie_utf8l, trie_flu8, trie_flu8_latin } \ + trie_type = ((scan->flags == EXACT) \ + ? (utf8_target ? trie_utf8 : trie_plain) \ + : (scan->flags == EXACTL) \ +@@ -1461,10 +1461,12 @@ Perl_re_intuit_start(pTHX_ + ? trie_utf8_exactfa_fold \ + : trie_latin_utf8_exactfa_fold) \ + : (scan->flags == EXACTFLU8 \ +- ? trie_flu8 \ ++ ? (utf8_target \ ++ ? trie_flu8 \ ++ : trie_flu8_latin) \ + : (utf8_target \ + ? trie_utf8_fold \ +- : trie_latin_utf8_fold))) ++ : trie_latin_utf8_fold))) + + /* 'uscan' is set to foldbuf, and incremented, so below the end of uscan is + * 'foldbuf+sizeof(foldbuf)' */ +@@ -1475,7 +1477,7 @@ STMT_START { + switch (trie_type) { \ + case trie_flu8: \ + _CHECK_AND_WARN_PROBLEMATIC_LOCALE; \ +- if (utf8_target && UTF8_IS_ABOVE_LATIN1(*uc)) { \ ++ if (UTF8_IS_ABOVE_LATIN1(*uc)) { \ + _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc_end - uc); \ + } \ + goto do_trie_utf8_fold; \ +@@ -1497,10 +1499,14 @@ STMT_START { + uscan = foldbuf + skiplen; \ + } \ + break; \ ++ case trie_flu8_latin: \ ++ _CHECK_AND_WARN_PROBLEMATIC_LOCALE; \ ++ goto do_trie_latin_utf8_fold; \ + case trie_latin_utf8_exactfa_fold: \ + flags |= FOLD_FLAGS_NOMIX_ASCII; \ + /* FALLTHROUGH */ \ + case trie_latin_utf8_fold: \ ++ do_trie_latin_utf8_fold: \ + if ( foldlen>0 ) { \ + uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags ); \ + foldlen -= len; \ +diff --git a/t/re/re_tests b/t/re/re_tests +index 7e8522d..ab7ddbb 100644 +--- a/t/re/re_tests ++++ b/t/re/re_tests +@@ -1968,6 +1968,7 @@ ab(?#Comment){2}c abbc y $& abbc + (?:.||)(?|)000000000@ 000000000@ y $& 000000000@ # [perl #126405] + aa$|a(?R)a|a aaa y $& aaa # [perl 128420] recursive matches + (?:\1|a)([bcd])\1(?:(?R)|e)\1 abbaccaddedcb y $& abbaccaddedcb # [perl 128420] recursive match with backreferences ++(?il)\x{100}|\x{100}|\x{FF} \xFF y $& \xFF + + # Keep these lines at the end of the file + # vim: softtabstop=0 noexpandtab +-- +2.14.3 + diff --git a/SOURCES/perl-5.24.3-perl-132063-Heap-buffer-overflow.patch b/SOURCES/perl-5.24.3-perl-132063-Heap-buffer-overflow.patch new file mode 100644 index 0000000..46a413a --- /dev/null +++ b/SOURCES/perl-5.24.3-perl-132063-Heap-buffer-overflow.patch @@ -0,0 +1,123 @@ +From 29231d73407542051a287cab5e18546e5a622f4a Mon Sep 17 00:00:00 2001 +From: Karl Williamson +Date: Tue, 6 Feb 2018 14:50:48 -0700 +Subject: [perl #132063]: Heap buffer overflow + +The proximal cause is several instances in regexec.c of the code +assuming that the input was valid UTF-8, whereas the input was too short +for what the start byte claimed it would be. + +I grepped through the core for any other similar uses, and did not find +any. +--- + regexec.c | 29 ++++++++++++++++------------- + t/lib/warnings/regexec | 7 +++++++ + 2 files changed, 23 insertions(+), 13 deletions(-) + +diff --git a/regexec.c b/regexec.c +index 5735b997fd..ea432c39d3 100644 +--- a/regexec.c ++++ b/regexec.c +@@ -1466,7 +1466,9 @@ Perl_re_intuit_start(pTHX_ + ? trie_utf8_fold \ + : trie_latin_utf8_fold))) + +-#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \ ++/* 'uscan' is set to foldbuf, and incremented, so below the end of uscan is ++ * 'foldbuf+sizeof(foldbuf)' */ ++#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uc_end, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \ + STMT_START { \ + STRLEN skiplen; \ + U8 flags = FOLD_FLAGS_FULL; \ +@@ -1474,7 +1476,7 @@ STMT_START { + case trie_flu8: \ + _CHECK_AND_WARN_PROBLEMATIC_LOCALE; \ + if (utf8_target && UTF8_IS_ABOVE_LATIN1(*uc)) { \ +- _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc + UTF8SKIP(uc)); \ ++ _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc_end - uc); \ + } \ + goto do_trie_utf8_fold; \ + case trie_utf8_exactfa_fold: \ +@@ -1483,7 +1485,7 @@ STMT_START { + case trie_utf8_fold: \ + do_trie_utf8_fold: \ + if ( foldlen>0 ) { \ +- uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \ ++ uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags ); \ + foldlen -= len; \ + uscan += len; \ + len=0; \ +@@ -1500,7 +1502,7 @@ STMT_START { + /* FALLTHROUGH */ \ + case trie_latin_utf8_fold: \ + if ( foldlen>0 ) { \ +- uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \ ++ uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags ); \ + foldlen -= len; \ + uscan += len; \ + len=0; \ +@@ -1519,7 +1521,7 @@ STMT_START { + } \ + /* FALLTHROUGH */ \ + case trie_utf8: \ +- uvc = utf8n_to_uvchr( (const U8*) uc, UTF8_MAXLEN, &len, uniflags ); \ ++ uvc = utf8n_to_uvchr( (const U8*) uc, uc_end - uc, &len, uniflags ); \ + break; \ + case trie_plain: \ + uvc = (UV)*uc; \ +@@ -2599,10 +2601,10 @@ S_find_byclass(pTHX_ regexp * prog, const regnode *c, char *s, + } + points[pointpos++ % maxlen]= uc; + if (foldlen || uc < (U8*)strend) { +- REXEC_TRIE_READ_CHAR(trie_type, trie, +- widecharmap, uc, +- uscan, len, uvc, charid, foldlen, +- foldbuf, uniflags); ++ REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, ++ (U8 *) strend, uscan, len, uvc, ++ charid, foldlen, foldbuf, ++ uniflags); + DEBUG_TRIE_EXECUTE_r({ + dump_exec_pos( (char *)uc, c, strend, + real_start, s, utf8_target, 0); +@@ -5511,8 +5513,9 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog) + if ( base && (foldlen || uc < (U8*)(reginfo->strend))) { + I32 offset; + REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, +- uscan, len, uvc, charid, foldlen, +- foldbuf, uniflags); ++ (U8 *) reginfo->strend, uscan, ++ len, uvc, charid, foldlen, ++ foldbuf, uniflags); + charcount++; + if (foldlen>0) + ST.longfold = TRUE; +@@ -5642,8 +5645,8 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog) + while (foldlen) { + if (!--chars) + break; +- uvc = utf8n_to_uvchr(uscan, UTF8_MAXLEN, &len, +- uniflags); ++ uvc = utf8n_to_uvchr(uscan, foldlen, &len, ++ uniflags); + uscan += len; + foldlen -= len; + } +diff --git a/t/lib/warnings/regexec b/t/lib/warnings/regexec +index 900dd6ee7f..6635142dea 100644 +--- a/t/lib/warnings/regexec ++++ b/t/lib/warnings/regexec +@@ -260,3 +260,10 @@ setlocale(&POSIX::LC_CTYPE, $utf8_locale); + "k" =~ /(?[ \N{KELVIN SIGN} ])/i; + ":" =~ /(?[ \: ])/; + EXPECT ++######## ++# NAME perl #132063, read beyond buffer end ++# OPTION fatal ++"\xff" =~ /(?il)\x{100}|\x{100}/; ++EXPECT ++Malformed UTF-8 character: \xff (too short; 1 byte available, need 13) in pattern match (m//) at - line 2. ++Malformed UTF-8 character (fatal) at - line 2. +-- +2.11.0 + diff --git a/SOURCES/perl-5.24.3-perl-132063-we-should-no-longer-warn-for-this-code.patch b/SOURCES/perl-5.24.3-perl-132063-we-should-no-longer-warn-for-this-code.patch new file mode 100644 index 0000000..f98c2c3 --- /dev/null +++ b/SOURCES/perl-5.24.3-perl-132063-we-should-no-longer-warn-for-this-code.patch @@ -0,0 +1,30 @@ +From 9dd4e0280eca2ba666cc0671ec3724610ed7d366 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Mon, 19 Feb 2018 15:11:42 +1100 +Subject: (perl #132063) we should no longer warn for this code + +The first patch for 132063 prevented the buffer read overflow when +dumping the warning but didn't fix the underlying problem. + +The next change treats the supplied buffer correctly, preventing the +non-UTF-8 SV from being treated as UTF-8, preventing the warning. +--- + t/lib/warnings/regexec | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/t/lib/warnings/regexec b/t/lib/warnings/regexec +index 6635142dea..c370ddc3c7 100644 +--- a/t/lib/warnings/regexec ++++ b/t/lib/warnings/regexec +@@ -262,8 +262,5 @@ setlocale(&POSIX::LC_CTYPE, $utf8_locale); + EXPECT + ######## + # NAME perl #132063, read beyond buffer end +-# OPTION fatal + "\xff" =~ /(?il)\x{100}|\x{100}/; + EXPECT +-Malformed UTF-8 character: \xff (too short; 1 byte available, need 13) in pattern match (m//) at - line 2. +-Malformed UTF-8 character (fatal) at - line 2. +-- +2.11.0 + diff --git a/SOURCES/perl-5.24.3-perl-132227-restart-a-node-if-we-change-to-uni-rules.patch b/SOURCES/perl-5.24.3-perl-132227-restart-a-node-if-we-change-to-uni-rules.patch new file mode 100644 index 0000000..212f93b --- /dev/null +++ b/SOURCES/perl-5.24.3-perl-132227-restart-a-node-if-we-change-to-uni-rules.patch @@ -0,0 +1,37 @@ +From e02d7478ebfc399a9d10ba0df60eee217aa7ab8f Mon Sep 17 00:00:00 2001 +From: Karl Williamson +Date: Fri, 2 Feb 2018 15:14:27 -0700 +Subject: (perl #132227) restart a node if we change to uni rules within the + node and encounter a sharp S + +This could lead to a buffer overflow. +--- + regcomp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/regcomp.c b/regcomp.c +index c6c7cb4925..d79bd191c9 100644 +--- a/regcomp.c ++++ b/regcomp.c +@@ -13323,6 +13323,18 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth) + * /u. This includes the multi-char fold SHARP S to + * 'ss' */ + if (UNLIKELY(ender == LATIN_SMALL_LETTER_SHARP_S)) { ++ ++ /* If the node started out having uni rules, we ++ * wouldn't have gotten here. So this means ++ * something in the middle has changed it, but ++ * didn't think it needed to reparse. But this ++ * sharp s now does indicate the need for ++ * reparsing. */ ++ if (RExC_uni_semantics) { ++ p = oldp; ++ goto loopdone; ++ } ++ + RExC_seen_unfolded_sharp_s = 1; + maybe_exactfu = FALSE; + } +-- +2.11.0 + diff --git a/SPECS/perl.spec b/SPECS/perl.spec index 7297eba..1930122 100644 --- a/SPECS/perl.spec +++ b/SPECS/perl.spec @@ -34,7 +34,7 @@ Name: %{?scl_prefix}perl Version: %{perl_version} # release number must be even higher, because dual-lived modules will be broken otherwise -Release: 379%{?dist} +Release: 380%{?dist} Epoch: %{perl_epoch} Summary: Practical Extraction and Report Language Group: Development/Languages @@ -2158,6 +2158,16 @@ Patch43: perl-5.24.0-PATCH-perl-128734-tr-N-.-failing-for-128-255.patch # in upstream after 5.24.1 Patch44: perl-5.24.0-CVE-2016-1238-maint-5.24-dot-in-inc.patch +# Fix CVE-2018-6798 (heap read overflow in regexec.c), bug #1561102, RT#132063, +# in upstream after 5.26.1 +Patch45: perl-5.24.3-perl-132063-Heap-buffer-overflow.patch +Patch46: perl-5.24.0-fix-TRIE_READ_CHAR-and-DECL_TRIE_TYPE-to-acco.patch +Patch47: perl-5.24.3-perl-132063-we-should-no-longer-warn-for-this-code.patch + +# Fix CVE-2018-6797 (heap write overflow in regcomp.c), bug #1561102, RT#132227, +# in upstream after 5.26.1 +Patch48: perl-5.24.3-perl-132227-restart-a-node-if-we-change-to-uni-rules.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -4894,6 +4904,10 @@ Perl extension for Version Objects %patch42 -p1 %patch43 -p1 %patch44 -p1 +%patch45 -p1 +%patch46 -p1 +%patch47 -p1 +%patch48 -p1 %patch200 -p1 %patch201 -p1 %patch300 -p1 @@ -4938,6 +4952,8 @@ perl -x patchlevel.h \ 'Fedora Patch42: Fix a crash in lexical scope warnings (RT#128597)' \ 'Fedora Patch43: Fix handling \N{} in tr for characters in range 128--255 (RT#128734)' \ 'Fedora Patch44: Avoid loading of modules from current directory (CVE-2016-1238)' \ + 'RHEL Patch45: Fix CVE-2018-6798 (heap read overflow in regexec.c) (RT#132063)' \ + 'RHEL Patch48: Fix CVE-2018-6797 (heap write overflow in regcomp.c) (RT#132227)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -7235,6 +7251,10 @@ popd # Old changelog entries are preserved in CVS. %changelog +* Wed Mar 28 2018 Petr Pisar - 4:5.24.0-380 +- Fix CVE-2018-6798 (heap read overflow in regexec.c) (bug #1561102) +- Fix CVE-2018-6797 (heap write overflow in regcomp.c) (bug #1561102) + * Tue Aug 02 2016 Jitka Plesnikova - 4:5.24.0-379 - Avoid loading of modules from current directory, CVE-2016-1238, (bug #1360425)