rpms/perl/FC-4 perl-5.8.6-CVE-2005-3962-bz174684.patch, 1.1, 1.2 perl-5.8.6-MM_Unix-rpath-136009.patch, 1.1, 1.2 perl.spec, 1.67, 1.68
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Dec 9 21:20:14 UTC 2005
Author: jvdias
Update of /cvs/dist/rpms/perl/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv21262
Modified Files:
perl-5.8.6-CVE-2005-3962-bz174684.patch
perl-5.8.6-MM_Unix-rpath-136009.patch perl.spec
Log Message:
- Apply upstream patches 26283 and 26284 : complete, revised fixes
for CVE-2005-3962 and CVE-2005-3912 and
"Sys::Syslog security vulnerabilities" issues.
- Fix bug 136009 / MakeMaker LD_RUN_PATH issue:
restore previous default Red Hat behavior of removing the MakeMaker
generated LD_RUN_PATH setting from the link command .
Document this removal, as it contravenes upstream default behavior, and
provide a USE_MM_LD_RUN_PATH MakeMaker member to enable use of the
MakeMaker generated LD_RUN_PATH .
perl-5.8.6-CVE-2005-3962-bz174684.patch:
ext/Sys/Syslog/Syslog.pm | 92 ++++++++++++++++++++++++++++-----------------
handy.h | 96 +++++++++++++++++------------------------------
makedef.pl | 12 +++--
op.c | 4 +
opcode.h | 2
opcode.pl | 2
perl.h | 9 +++-
sv.c | 19 +++++++--
t/lib/warnings/sv | 6 +-
t/op/sprintf.t | 3 +
t/op/sprintf2.t | 28 +++++++++++++
11 files changed, 161 insertions(+), 112 deletions(-)
Index: perl-5.8.6-CVE-2005-3962-bz174684.patch
===================================================================
RCS file: /cvs/dist/rpms/perl/FC-4/perl-5.8.6-CVE-2005-3962-bz174684.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- perl-5.8.6-CVE-2005-3962-bz174684.patch 1 Dec 2005 18:45:06 -0000 1.1
+++ perl-5.8.6-CVE-2005-3962-bz174684.patch 9 Dec 2005 21:20:10 -0000 1.2
@@ -1,18 +1,396 @@
---- perl-5.8.7/t/op/sprintf2.t.CVE-2005-3962-bz174684 2004-02-09 16:37:13.000000000 -0500
-+++ perl-5.8.7/t/op/sprintf2.t 2005-12-01 13:11:34.000000000 -0500
+--- perl-5.8.6/handy.h.CVE-2005-3962-bz174684 2004-09-10 02:46:31.000000000 -0400
++++ perl-5.8.6/handy.h 2005-12-09 15:25:53.000000000 -0500
+@@ -593,91 +593,65 @@
+
+ =cut */
+
+-#ifndef lint
+-
+ #define NEWSV(x,len) newSV(len)
+
+ #ifdef PERL_MALLOC_WRAP
+ #define MEM_WRAP_CHECK(n,t) \
+- (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0)
++ (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(PL_memory_wrap),0):0)
+ #define MEM_WRAP_CHECK_1(n,t,a) \
+- (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0)
++ (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a),0):0)
+ #define MEM_WRAP_CHECK_2(n,t,a,b) \
+- (void)((n)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0)
++ (void)((sizeof(t)>1?(n):1)>((MEM_SIZE)~0)/sizeof(t)?(Perl_croak_nocontext(a,b),0):0)
++#define MEM_WRAP_CHECK_(n,t) MEM_WRAP_CHECK(n,t),
+
+-#define New(x,v,n,t) (v = (MEM_WRAP_CHECK(n,t), (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
+-#define Newc(x,v,n,t,c) (v = (MEM_WRAP_CHECK(n,t), (c*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
+-#define Newz(x,v,n,t) (v = (MEM_WRAP_CHECK(n,t), (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))), \
+- memzero((char*)(v), (n)*sizeof(t))
+-#define Renew(v,n,t) \
+- (v = (MEM_WRAP_CHECK(n,t), (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
+-#define Renewc(v,n,t,c) \
+- (v = (MEM_WRAP_CHECK(n,t), (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
+-#define Safefree(d) safefree((Malloc_t)(d))
+-
+-#define Move(s,d,n,t) (MEM_WRAP_CHECK(n,t), (void)memmove((char*)(d),(char*)(s), (n) * sizeof(t)))
+-#define Copy(s,d,n,t) (MEM_WRAP_CHECK(n,t), (void)memcpy((char*)(d),(char*)(s), (n) * sizeof(t)))
+-#define Zero(d,n,t) (MEM_WRAP_CHECK(n,t), (void)memzero((char*)(d), (n) * sizeof(t)))
+-
+-#define MoveD(s,d,n,t) (MEM_WRAP_CHECK(n,t), memmove((char*)(d),(char*)(s), (n) * sizeof(t)))
+-#define CopyD(s,d,n,t) (MEM_WRAP_CHECK(n,t), memcpy((char*)(d),(char*)(s), (n) * sizeof(t)))
+-#ifdef HAS_MEMSET
+-#define ZeroD(d,n,t) (MEM_WRAP_CHECK(n,t), memzero((char*)(d), (n) * sizeof(t)))
+-#else
+-/* Using bzero(), which returns void. */
+-#define ZeroD(d,n,t) (MEM_WRAP_CHECK(n,t), memzero((char*)(d), (n) * sizeof(t)),d)
+-#endif
+-
+-#define Poison(d,n,t) (MEM_WRAP_CHECK(n,t), (void)memset((char*)(d), 0xAB, (n) * sizeof(t)))
++#define PERL_STRLEN_ROUNDUP(n) ((void)(((n) > (MEM_SIZE)~0 - 2 * PERL_STRLEN_ROUNDUP_QUANTUM) ? (Perl_croak_nocontext(PL_memory_wrap),0):0),((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1)))
+
+ #else
+
+ #define MEM_WRAP_CHECK(n,t)
+ #define MEM_WRAP_CHECK_1(n,t,a)
+ #define MEM_WRAP_CHECK_2(n,t,a,b)
++#define MEM_WRAP_CHECK_(n,t)
++
++#define PERL_STRLEN_ROUNDUP(n) (((n-1+PERL_STRLEN_ROUNDUP_QUANTUM)&~((MEM_SIZE)PERL_STRLEN_ROUNDUP_QUANTUM-1)))
+
+-#define New(x,v,n,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))
+-#define Newc(x,v,n,t,c) (v = (c*)safemalloc((MEM_SIZE)((n)*sizeof(t))))
+-#define Newz(x,v,n,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))), \
++#endif
++
++#define Newx(v,n,t) (v = (MEM_WRAP_CHECK_(n,t) (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
++#define Newxc(v,n,t,c) (v = (MEM_WRAP_CHECK_(n,t) (c*)safemalloc((MEM_SIZE)((n)*sizeof(t)))))
++#define Newxz(v,n,t) (v = (MEM_WRAP_CHECK_(n,t) (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))), \
+ memzero((char*)(v), (n)*sizeof(t))
++/* pre 5.9.x compatibility */
++#define New(x,v,n,t) Newx(v,n,t)
++#define Newc(x,v,n,t,c) Newxc(v,n,t,c)
++#define Newz(x,v,n,t) Newxz(v,n,t)
++
+ #define Renew(v,n,t) \
+- (v = (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))
++ (v = (MEM_WRAP_CHECK_(n,t) (t*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
+ #define Renewc(v,n,t,c) \
+- (v = (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t))))
+-#define Safefree(d) safefree((Malloc_t)(d))
+-
+-#define Move(s,d,n,t) (void)memmove((char*)(d),(char*)(s), (n) * sizeof(t))
+-#define Copy(s,d,n,t) (void)memcpy((char*)(d),(char*)(s), (n) * sizeof(t))
+-#define Zero(d,n,t) (void)memzero((char*)(d), (n) * sizeof(t))
++ (v = (MEM_WRAP_CHECK_(n,t) (c*)saferealloc((Malloc_t)(v),(MEM_SIZE)((n)*sizeof(t)))))
+
+-#define MoveD(s,d,n,t) memmove((char*)(d),(char*)(s), (n) * sizeof(t))
+-#define CopyD(s,d,n,t) memcpy((char*)(d),(char*)(s), (n) * sizeof(t))
+-#ifdef HAS_MEMSET
+-#define ZeroD(d,n,t) memzero((char*)(d), (n) * sizeof(t))
++#ifdef PERL_POISON
++#define Safefree(d) \
++ (d ? (void)(safefree((Malloc_t)(d)), Poison(&(d), 1, Malloc_t)) : (void) 0)
+ #else
+-#define ZeroD(d,n,t) ((void)memzero((char*)(d), (n) * sizeof(t)),d)
++#define Safefree(d) safefree((Malloc_t)(d))
+ #endif
+
+-#define Poison(d,n,t) (void)memset((char*)(d), 0xAB, (n) * sizeof(t))
++#define Move(s,d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memmove((char*)(d),(const char*)(s), (n) * sizeof(t)))
++#define Copy(s,d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memcpy((char*)(d),(const char*)(s), (n) * sizeof(t)))
++#define Zero(d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memzero((char*)(d), (n) * sizeof(t)))
+
++#define MoveD(s,d,n,t) (MEM_WRAP_CHECK_(n,t) memmove((char*)(d),(const char*)(s), (n) * sizeof(t)))
++#define CopyD(s,d,n,t) (MEM_WRAP_CHECK_(n,t) memcpy((char*)(d),(const char*)(s), (n) * sizeof(t)))
++#ifdef HAS_MEMSET
++#define ZeroD(d,n,t) (MEM_WRAP_CHECK_(n,t) memzero((char*)(d), (n) * sizeof(t)))
++#else
++/* Using bzero(), which returns void. */
++#define ZeroD(d,n,t) (MEM_WRAP_CHECK_(n,t) memzero((char*)(d), (n) * sizeof(t)),d)
+ #endif
+
+-#else /* lint */
+-
+-#define New(x,v,n,s) (v = Null(s *))
+-#define Newc(x,v,n,s,c) (v = Null(s *))
+-#define Newz(x,v,n,s) (v = Null(s *))
+-#define Renew(v,n,s) (v = Null(s *))
+-#define Move(s,d,n,t)
+-#define Copy(s,d,n,t)
+-#define Zero(d,n,t)
+-#define MoveD(s,d,n,t) d
+-#define CopyD(s,d,n,t) d
+-#define ZeroD(d,n,t) d
+-#define Poison(d,n,t)
+-#define Safefree(d) (d) = (d)
+-
+-#endif /* lint */
++#define Poison(d,n,t) (MEM_WRAP_CHECK_(n,t) (void)memset((char*)(d), 0xAB, (n) * sizeof(t)))
+
+ #ifdef USE_STRUCT_COPY
+ #define StructCopy(s,d,t) (*((t*)(d)) = *((t*)(s)))
+--- perl-5.8.6/op.c.CVE-2005-3962-bz174684 2004-11-16 14:35:59.000000000 -0500
++++ perl-5.8.6/op.c 2005-12-09 15:25:53.000000000 -0500
+@@ -2064,7 +2064,9 @@
+ /* XXX might want a ck_negate() for this */
+ cUNOPo->op_first->op_private &= ~OPpCONST_STRICT;
+ break;
+- case OP_SPRINTF:
++/* Removed as part of fix for CVE-2005-3962 / Upstream patch 26283 :
++ * case OP_SPRINTF:
++ */
+ case OP_UCFIRST:
+ case OP_LCFIRST:
+ case OP_UC:
+--- perl-5.8.6/ext/Sys/Syslog/Syslog.pm.CVE-2005-3962-bz174684 2004-10-19 15:39:55.000000000 -0400
++++ perl-5.8.6/ext/Sys/Syslog/Syslog.pm 2005-12-09 14:15:24.000000000 -0500
+@@ -1,17 +1,16 @@
+ package Sys::Syslog;
+-require 5.000;
++require 5.006;
+ require Exporter;
+-require DynaLoader;
+ use Carp;
++use strict;
+
+- at ISA = qw(Exporter DynaLoader);
+- at EXPORT = qw(openlog closelog setlogmask syslog);
+- at EXPORT_OK = qw(setlogsock);
+-$VERSION = '0.05';
++our @ISA = qw(Exporter);
++our @EXPORT = qw(openlog closelog setlogmask syslog);
++our @EXPORT_OK = qw(setlogsock);
++our $VERSION = '0.08';
+
+ # it would be nice to try stream/unix first, since that will be
+ # most efficient. However streams are dodgy - see _syslog_send_stream
+-#my @connectMethods = ( 'stream', 'unix', 'tcp', 'udp' );
+ my @connectMethods = ( 'tcp', 'udp', 'unix', 'stream', 'console' );
+ if ($^O =~ /^(freebsd|linux)$/) {
+ @connectMethods = grep { $_ ne 'udp' } @connectMethods;
+@@ -22,8 +21,9 @@
+ my $current_proto = undef;
+ my $failed = undef;
+ my $fail_time = undef;
++our ($connected, @fallbackMethods, $syslog_send, $host);
+
+-use Socket;
++use Socket ':all';
+ use Sys::Hostname;
+
+ =head1 NAME
+@@ -53,26 +53,38 @@
+
+ =item openlog $ident, $logopt, $facility
+
++Opens the syslog.
+ I<$ident> is prepended to every message. I<$logopt> contains zero or
+ more of the words I<pid>, I<ndelay>, I<nowait>. The cons option is
+ ignored, since the failover mechanism will drop down to the console
+ automatically if all other media fail. I<$facility> specifies the
+ part of the system to report about, for example LOG_USER or LOG_LOCAL0:
+ see your C<syslog(3)> documentation for the facilities available in
+-your system.
++your system. This function will croak if it can't connect to the syslog
++daemon.
+
+ B<You should use openlog() before calling syslog().>
+
++=item syslog $priority, $message
++
+ =item syslog $priority, $format, @args
+
+-If I<$priority> permits, logs I<($format, @args)>
+-printed as by C<printf(3V)>, with the addition that I<%m>
+-is replaced with C<"$!"> (the latest error message).
++If I<$priority> permits, logs I<$message> or I<sprintf($format, @args)>
++with the addition that I<%m> in $message or $format is replaced with
++C<"$!"> (the latest error message).
+
+ If you didn't use openlog() before using syslog(), syslog will try to
+ guess the I<$ident> by extracting the shortest prefix of I<$format>
+ that ends in a ":".
+
++Note that Sys::Syslog version v0.07 and older passed the $message as
++the formatting string to sprintf() even when no formatting arguments
++were provided. If the code calling syslog() might execute with older
++versions of this module, make sure to call the function as
++syslog($priority, "%s", $message) instead of syslog($priority,
++$message). This protects against hostile formatting sequences that
++might show up if $message contains tainted data.
++
+ =item setlogmask $mask_priority
+
+ Sets log mask I<$mask_priority> and returns the old mask.
+@@ -114,7 +126,7 @@
+ =head1 EXAMPLES
+
+ openlog($program, 'cons,pid', 'user');
+- syslog('info', 'this is another test');
++ syslog('info', '%s', 'this is another test');
+ syslog('mail|warning', 'this is a better test: %d', time);
+ closelog();
+
+@@ -169,36 +181,38 @@
+ if ($error) {
+ croak $error;
+ }
++ no strict 'refs';
+ *$AUTOLOAD = sub { $val };
+ goto &$AUTOLOAD;
+ }
+
+-bootstrap Sys::Syslog $VERSION;
++require XSLoader;
++XSLoader::load('Sys::Syslog', $VERSION);
+
+-$maskpri = &LOG_UPTO(&LOG_DEBUG);
++our $maskpri = &LOG_UPTO(&LOG_DEBUG);
+
+ sub openlog {
+- ($ident, $logopt, $facility) = @_; # package vars
+- $lo_pid = $logopt =~ /\bpid\b/;
+- $lo_ndelay = $logopt =~ /\bndelay\b/;
+- $lo_nowait = $logopt =~ /\bnowait\b/;
++ our ($ident, $logopt, $facility) = @_; # package vars
++ our $lo_pid = $logopt =~ /\bpid\b/;
++ our $lo_ndelay = $logopt =~ /\bndelay\b/;
++ our $lo_nowait = $logopt =~ /\bnowait\b/;
+ return 1 unless $lo_ndelay;
+ &connect;
+ }
+
+ sub closelog {
+- $facility = $ident = '';
++ our $facility = our $ident = '';
+ &disconnect;
+ }
+
+ sub setlogmask {
+- local($oldmask) = $maskpri;
++ my $oldmask = $maskpri;
+ $maskpri = shift;
+ $oldmask;
+ }
+
+ sub setlogsock {
+- local($setsock) = shift;
++ my $setsock = shift;
+ $syslog_path = shift;
+ &disconnect if $connected;
+ $transmit_ok = 0;
+@@ -260,10 +274,11 @@
+ }
+
+ sub syslog {
+- local($priority) = shift;
+- local($mask) = shift;
+- local($message, $whoami);
+- local(@words, $num, $numpri, $numfac, $sum);
++ my $priority = shift;
++ my $mask = shift;
++ my ($message, $whoami);
++ my (@words, $num, $numpri, $numfac, $sum);
++ our $facility;
+ local($facility) = $facility; # may need to change temporarily.
+
+ croak "syslog: expecting argument \$priority" unless $priority;
+@@ -298,7 +313,7 @@
+
+ &connect unless $connected;
+
+- $whoami = $ident;
++ $whoami = our $ident;
+
+ if (!$whoami && $mask =~ /^(\S.*?):\s?(.*)/) {
+ $whoami = $1;
+@@ -311,11 +326,18 @@
+ ($whoami = 'syslog');
+ }
+
+- $whoami .= "[$$]" if $lo_pid;
++ $whoami .= "[$$]" if our $lo_pid;
++
++ if ($mask =~ /%m/) {
++ my $err = $!;
++ # escape percent signs if sprintf will be called
++ $err =~ s/%/%%/g if @_;
++ # replace %m with $err, if preceded by an even number of percent signs
++ $mask =~ s/(?<!%)((?:%%)*)%m/$1$err/g;
++ }
+
+- $mask =~ s/%m/$!/g;
+ $mask .= "\n" unless $mask =~ /\n$/;
+- $message = sprintf ($mask, @_);
++ $message = @_ ? sprintf($mask, @_) : $mask;
+
+ $sum = $numpri + $numfac;
+ my $buf = "<$sum>$whoami: $message\0";
+@@ -363,6 +385,7 @@
+ # so we do it in a child process and always return success
+ # to the caller.
+ if (my $pid = fork) {
++ our $lo_nowait;
+ if ($lo_nowait) {
+ return 1;
+ } else {
+@@ -399,13 +422,13 @@
+ }
+
+ sub xlate {
+- local($name) = @_;
++ my($name) = @_;
+ return $name+0 if $name =~ /^\s*\d+\s*$/;
+ $name = uc $name;
+ $name = "LOG_$name" unless $name =~ /^LOG_/;
+ $name = "Sys::Syslog::$name";
+ # Can't have just eval { &$name } || -1 because some LOG_XXX may be zero.
+- my $value = eval { &$name };
++ my $value = eval { no strict 'refs'; &$name };
+ defined $value ? $value : -1;
+ }
+
+@@ -419,15 +442,16 @@
+ my @errs = ();
+ my $proto = undef;
+ while ($proto = shift(@fallbackMethods)) {
++ no strict 'refs';
+ my $fn = "connect_$proto";
+- $connected = &$fn(\@errs) unless (!defined &$fn);
++ $connected = &$fn(\@errs) if defined &$fn;
+ last if ($connected);
+ }
+
+ $transmit_ok = 0;
+ if ($connected) {
+ $current_proto = $proto;
+- local($old) = select(SYSLOG); $| = 1; select($old);
++ my($old) = select(SYSLOG); $| = 1; select($old);
+ } else {
+ @fallbackMethods = ();
+ foreach my $err (@errs) {
+--- perl-5.8.6/t/op/sprintf2.t.CVE-2005-3962-bz174684 2004-02-09 16:37:13.000000000 -0500
++++ perl-5.8.6/t/op/sprintf2.t 2005-12-09 15:25:53.000000000 -0500
@@ -6,7 +6,7 @@
require './test.pl';
}
-plan tests => 3;
-+plan tests => 6;
++plan tests => 7;
is(
sprintf("%.40g ",0.01),
-@@ -26,3 +26,20 @@
+@@ -26,3 +26,29 @@
q(width calculation under utf8 upgrade)
);
}
++
++# Used to mangle PL_sv_undef
++fresh_perl_is(
++ 'print sprintf "xxx%n\n"; print undef',
++ 'Modification of a read-only value attempted at - line 1.',
++ { switches => [ '-w' ] },
++ q(%n should not be able to modify read-only constants),
++);
++
+# check %NNN$ for range bounds, especially negative 2's complement
+{
+ my ($warn, $bad) = (0,0);
@@ -30,9 +408,36 @@
+ is($warn, 36, "expected warnings");
+ is($bad, 0, "unexpected warnings");
+}
---- perl-5.8.7/sv.c.CVE-2005-3962-bz174684 2005-05-27 06:38:11.000000000 -0400
-+++ perl-5.8.7/sv.c 2005-12-01 13:11:14.000000000 -0500
-@@ -8707,9 +8707,10 @@
+--- perl-5.8.6/t/op/sprintf.t.CVE-2005-3962-bz174684 2003-09-01 03:41:07.000000000 -0400
++++ perl-5.8.6/t/op/sprintf.t 2005-12-09 15:25:53.000000000 -0500
+@@ -385,3 +385,6 @@
+ >%4$K %d< >[45, 67]< >%4$K 45 INVALID<
+ >%d %K %d< >[23, 45]< >23 %K 45 INVALID<
+ >%*v*999\$d %d %d< >[11, 22, 33]< >%*v*999\$d 11 22 INVALID<
++>%#b< >0< >0<
++>%#o< >0< >0<
++>%#x< >0< >0<
+--- perl-5.8.6/t/lib/warnings/sv.CVE-2005-3962-bz174684 2004-03-18 07:51:14.000000000 -0500
++++ perl-5.8.6/t/lib/warnings/sv 2005-12-09 15:25:53.000000000 -0500
+@@ -301,12 +301,12 @@
+ printf F "%\x02" ;
+ $a = sprintf "%\x02" ;
+ EXPECT
+-Invalid conversion in sprintf: "%z" at - line 5.
+-Invalid conversion in sprintf: end of string at - line 7.
+-Invalid conversion in sprintf: "%\002" at - line 9.
+ Invalid conversion in printf: "%z" at - line 4.
++Invalid conversion in sprintf: "%z" at - line 5.
+ Invalid conversion in printf: end of string at - line 6.
++Invalid conversion in sprintf: end of string at - line 7.
+ Invalid conversion in printf: "%\002" at - line 8.
++Invalid conversion in sprintf: "%\002" at - line 9.
+ ########
+ # sv.c
+ use warnings 'misc' ;
+--- perl-5.8.6/sv.c.CVE-2005-3962-bz174684 2004-11-01 11:01:54.000000000 -0500
++++ perl-5.8.6/sv.c 2005-12-09 15:25:53.000000000 -0500
+@@ -8724,9 +8724,15 @@
if (vectorize)
argsv = vecsv;
@@ -40,9 +445,112 @@
- argsv = (efix ? efix <= svmax : svix < svmax) ?
- svargs[efix ? efix-1 : svix++] : &PL_sv_undef;
+ else if (!args) {
-+ I32 i = efix ? efix-1 : svix++;
-+ argsv = (i >= 0 && i < svmax) ? svargs[i] : &PL_sv_undef;
++ if (efix) {
++ const I32 i = efix-1;
++ argsv = (i >= 0 && i < svmax) ? svargs[i] : &PL_sv_undef;
++ } else {
++ argsv = (svix >= 0 && svix < svmax)
++ ? svargs[svix++] : &PL_sv_undef;
++ }
+ }
switch (c = *q++) {
+@@ -8968,6 +8974,8 @@
+ *--eptr = '0';
+ break;
+ case 2:
++ if (!uv)
++ alt = FALSE;
+ do {
+ dig = uv & 1;
+ *--eptr = '0' + dig;
+@@ -9270,6 +9278,8 @@
+
+ /* calculate width before utf8_upgrade changes it */
+ have = esignlen + zeros + elen;
++ if (have < zeros)
++ Perl_croak_nocontext(PL_memory_wrap);
+
+ if (is_utf8 != has_utf8) {
+ if (is_utf8) {
+@@ -9297,6 +9307,9 @@
+ need = (have > width ? have : width);
+ gap = need - have;
+
++ if (need >= (((STRLEN)~0) - SvCUR(sv) - dotstrlen - 1))
++ Perl_croak_nocontext(PL_memory_wrap);
++
+ SvGROW(sv, SvCUR(sv) + need + dotstrlen + 1);
+ p = SvEND(sv);
+ if (esignlen && fill == '0') {
+--- perl-5.8.6/opcode.h.CVE-2005-3962-bz174684 2004-10-31 10:36:29.000000000 -0500
++++ perl-5.8.6/opcode.h 2005-12-09 15:25:53.000000000 -0500
+@@ -1585,7 +1585,7 @@
+ 0x0022281c, /* vec */
+ 0x0122291c, /* index */
+ 0x0122291c, /* rindex */
+- 0x0004280f, /* sprintf */
++ 0x0004280d, /* sprintf - WAS 0x0004280f before patch #26283 */
+ 0x00042805, /* formline */
+ 0x0001379e, /* ord */
+ 0x0001378e, /* chr */
+--- perl-5.8.6/opcode.pl.CVE-2005-3962-bz174684 2004-03-22 14:53:56.000000000 -0500
++++ perl-5.8.6/opcode.pl 2005-12-09 15:25:53.000000000 -0500
+@@ -602,7 +602,7 @@
+ index index ck_index isT@ S S S?
+ rindex rindex ck_index isT@ S S S?
+
+-sprintf sprintf ck_fun mfst@ S L
++sprintf sprintf ck_fun mst@ S L
+ formline formline ck_fun ms@ S L
+ ord ord ck_fun ifsTu% S?
+ chr chr ck_fun fsTu% S?
+--- perl-5.8.6/perl.h.CVE-2005-3962-bz174684 2005-12-09 15:23:58.000000000 -0500
++++ perl-5.8.6/perl.h 2005-12-09 15:25:53.000000000 -0500
+@@ -477,6 +477,13 @@
+
+ #define MEM_SIZE Size_t
+
++/* Round all values passed to malloc up, by default to a multiple of
++ sizeof(size_t)
++*/
++#ifndef PERL_STRLEN_ROUNDUP_QUANTUM
++#define PERL_STRLEN_ROUNDUP_QUANTUM Size_t_size
++#endif
++
+ #if defined(STANDARD_C) && defined(I_STDDEF)
+ # include <stddef.h>
+ # define STRUCT_OFFSET(s,m) offsetof(s,m)
+@@ -3077,10 +3084,8 @@
+ INIT("\"my\" variable %s can't be in a package");
+ EXTCONST char PL_no_localize_ref[]
+ INIT("Can't localize through a reference");
+-#ifdef PERL_MALLOC_WRAP
+ EXTCONST char PL_memory_wrap[]
+ INIT("panic: memory wrap");
+-#endif
+
+ EXTCONST char PL_uuemap[65]
+ INIT("`!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_");
+--- perl-5.8.6/makedef.pl.CVE-2005-3962-bz174684 2004-10-21 09:26:27.000000000 -0400
++++ perl-5.8.6/makedef.pl 2005-12-09 15:25:53.000000000 -0500
+@@ -635,11 +635,13 @@
+ )];
+ }
+
+-if ($define{'PERL_MALLOC_WRAP'}) {
+- emit_symbols [qw(
+- PL_memory_wrap
+- )];
+-}
++# Removed as part of fix for CVE-2005-3962 / CVE-2005-3962 /
++# Upstream patch #26283
++# if ($define{'PERL_MALLOC_WRAP'}) {
++# emit_symbols [qw(
++# PL_memory_wrap
++# )];
++#}
+
+ unless ($define{'USE_5005THREADS'} || $define{'USE_ITHREADS'}) {
+ skip_symbols [qw(
perl-5.8.6-MM_Unix-rpath-136009.patch:
Liblist.pm | 5 +++++
MM_Unix.pm | 17 ++++++++++++++---
MakeMaker.pm | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
3 files changed, 75 insertions(+), 5 deletions(-)
Index: perl-5.8.6-MM_Unix-rpath-136009.patch
===================================================================
RCS file: /cvs/dist/rpms/perl/FC-4/perl-5.8.6-MM_Unix-rpath-136009.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- perl-5.8.6-MM_Unix-rpath-136009.patch 11 Nov 2005 21:41:25 -0000 1.1
+++ perl-5.8.6-MM_Unix-rpath-136009.patch 9 Dec 2005 21:20:10 -0000 1.2
@@ -1,5 +1,19 @@
---- perl-5.8.7/lib/ExtUtils/MM_Unix.pm.136009 2005-11-08 20:08:30.000000000 -0500
-+++ perl-5.8.7/lib/ExtUtils/MM_Unix.pm 2005-11-09 12:54:41.000000000 -0500
+--- perl-5.8.6/lib/ExtUtils/Liblist.pm.MM_Unix-rpath-136009 2003-04-07 14:58:17.000000000 -0400
++++ perl-5.8.6/lib/ExtUtils/Liblist.pm 2005-12-09 15:44:30.000000000 -0500
+@@ -87,6 +87,11 @@
+ in LDLOADLIBS. It is passed as an environment variable to the process
+ that links the shared library.
+
++Red Hat extension: This generation of LD_RUN_PATH is disabled by default.
++To use the generated LD_RUN_PATH for all links, set the USE_MM_LD_RUN_PATH
++MakeMaker object attribute / argument, (or set the $USE_MM_LD_RUN_PATH
++environment variable).
++
+ =head2 BSLOADLIBS
+
+ List of those libraries that are needed but can be linked in
+--- perl-5.8.6/lib/ExtUtils/MM_Unix.pm.MM_Unix-rpath-136009 2005-12-09 15:38:04.000000000 -0500
++++ perl-5.8.6/lib/ExtUtils/MM_Unix.pm 2005-12-09 15:39:13.000000000 -0500
@@ -413,11 +413,18 @@
};
my($tmp);
@@ -25,7 +39,7 @@
}
+ my $ld_run_path_shell = "";
-+ if ($self->{LD_RUN_PATH} ne "") {
++ if (($self->{LD_RUN_PATH} ne "") && ($self->{USE_MM_LD_RUN_PATH})) {
+ $ld_run_path_shell = 'LD_RUN_PATH="$(LD_RUN_PATH)" ';
+ }
push(@m,
@@ -36,3 +50,84 @@
push @m, '
$(CHMOD) $(PERM_RWX) $@
';
+--- perl-5.8.6/lib/ExtUtils/MakeMaker.pm.MM_Unix-rpath-136009 2005-12-09 15:38:07.000000000 -0500
++++ perl-5.8.6/lib/ExtUtils/MakeMaker.pm 2005-12-09 15:39:13.000000000 -0500
+@@ -226,7 +226,7 @@
+ PERL_SRC PERM_RW PERM_RWX
+ PL_FILES PM PM_FILTER PMLIBDIRS POLLUTE PPM_INSTALL_EXEC
+ PPM_INSTALL_SCRIPT PREREQ_FATAL PREREQ_PM PREREQ_PRINT PRINT_PREREQ
+- SKIP TYPEMAPS VERSION VERSION_FROM XS XSOPT XSPROTOARG
++ SKIP TYPEMAPS USE_MM_LD_RUN_PATH VERSION VERSION_FROM XS XSOPT XSPROTOARG
+ XS_VERSION clean depend dist dynamic_lib linkext macro realclean
+ tool_autosplit
+
+@@ -362,7 +362,27 @@
+ print join(" ", map { "perl($_)>=$self->{PREREQ_PM}->{$_} " }
+ sort keys %{$self->{PREREQ_PM}}), "\n";
+ exit 0;
+- }
++ }
++
++ # USE_MM_LD_RUN_PATH - another RedHatism to disable automatic RPATH generation
++ if ( ( ! $self->{USE_MM_LD_RUN_PATH} )
++ &&( ("@ARGV" =~ /\bUSE_MM_LD_RUN_PATH(=([01]))?\b/)
++ ||( exists( $ENV{USE_MM_LD_RUN_PATH} )
++ &&( $ENV{USE_MM_LD_RUN_PATH} =~ /([01])?$/ )
++ )
++ )
++ )
++ {
++ my $v = $1;
++ if( $v )
++ {
++ $v = ($v=~/=([01])$/)[0];
++ }else
++ {
++ $v = 1;
++ };
++ $self->{USE_MM_LD_RUN_PATH}=$v;
++ }
+
+ print STDOUT "MakeMaker (v$VERSION)\n" if $Verbose;
+ if (-f "MANIFEST" && ! -f "Makefile"){
+@@ -2007,6 +2027,40 @@
+ precedence, even if it isn't listed in TYPEMAPS. The default system
+ typemap has lowest precedence.
+
++=item USE_MM_LD_RUN_PATH
++
++boolean
++The Red Hat perl MakeMaker distribution differs from the standard
++upstream release in that it disables use of the MakeMaker generated
++LD_RUN_PATH by default, UNLESS this attribute is specified , or the
++USE_MM_LD_RUN_PATH environment variable is set during the MakeMaker run.
++
++The upstream MakeMaker will set the ld(1) environment variable LD_RUN_PATH
++to the concatenation of every -L ld(1) option directory in which a -l ld(1)
++option library is found, which is used as the ld(1) -rpath option if none
++is specified. This means that, if your application builds shared libraries
++and your MakeMaker application links to them, that the absolute paths of the
++libraries in the build tree will be inserted into the RPATH header of all
++MakeMaker generated binaries, and that such binaries will be unable to link
++to these libraries if they do not still reside in the build tree directories
++(unlikely) or in the system library directories (/lib or /usr/lib), regardless
++of any LD_LIBRARY_PATH setting. So if you specified -L../mylib -lmylib , and
++ your 'libmylib.so' gets installed into /some_directory_other_than_usr_lib,
++ your MakeMaker application will be unable to link to it, even if LD_LIBRARY_PATH
++is set to include /some_directory_other_than_usr_lib, because RPATH overrides
++LD_LIBRARY_PATH.
++
++So for Red Hat MakeMaker builds LD_RUN_PATH is NOT generated by default for
++every link. You can still use explicit -rpath ld options or the LD_RUN_PATH
++environment variable during the build to generate an RPATH for the binaries.
++
++You can set the USE_MM_LD_RUN_PATH attribute to 1 on the MakeMaker command
++line or in the WriteMakefile arguments to enable generation of LD_RUN_PATH
++for every link command.
++
++USE_MM_LD_RUN_PATH will default to 1 (LD_RUN_PATH will be used) IF the
++$USE_MM_LD_RUN_PATH environment variable is set during a MakeMaker run.
++
+ =item VENDORPREFIX
+
+ Like PERLPREFIX, but only for the vendor install locations.
Index: perl.spec
===================================================================
RCS file: /cvs/dist/rpms/perl/FC-4/perl.spec,v
retrieving revision 1.67
retrieving revision 1.68
diff -u -r1.67 -r1.68
--- perl.spec 1 Dec 2005 18:45:06 -0000 1.67
+++ perl.spec 9 Dec 2005 21:20:10 -0000 1.68
@@ -5,7 +5,7 @@
%define multilib_64_archs x86_64 s390x ppc64 sparc64
%define perlver 5.8.6
-%define perlrel 18
+%define perlrel 20
%define perlepoch 3
%{?!perl_debugging: %define perl_debugging 0}
@@ -138,6 +138,8 @@
Patch172587: perl-5.8.6-bz172587.patch
+Patch136009: perl-5.8.6-MM_Unix-rpath-136009.patch
+
Patch174684: perl-5.8.6-CVE-2005-3962-bz174684.patch
# module updatesd
@@ -277,6 +279,8 @@
%patch172587 -p1
+%patch136009 -p1
+
%patch174684 -p1
find . -name \*.orig -exec rm -fv {} \;
@@ -470,6 +474,17 @@
%endif
%changelog
+* Fri Dec 09 2005 Jason Vas Dias <jvdias at redhat.com> - 3.5.8.6-20
+- Apply upstream patches 26283 and 26284 : complete, revised fixes
+ for CVE-2005-3962 and CVE-2005-3912 and
+ "Sys::Syslog security vulnerabilities" issues.
+- Fix bug 136009 / MakeMaker LD_RUN_PATH issue:
+ restore previous default Red Hat behavior of removing the MakeMaker
+ generated LD_RUN_PATH setting from the link command .
+ Document this removal, as it contravenes upstream default behavior, and
+ provide a USE_MM_LD_RUN_PATH MakeMaker member to enable use of the
+ MakeMaker generated LD_RUN_PATH .
+
* Thu Dec 01 2005 Jason Vas Dias <jvdias at redhat.com> - 3:5.8.6-18
- fix bug 174684 / CVE-2005-3962: sprintf integer overflow vulnerability
backported upstream patch #26240
More information about the fedora-cvs-commits
mailing list