Fix a local root exploit and a buffer overflow (CAN-2005-{0155,0156}).

Patches from Nicholas Clark in private mail.  Bump the PKGREVISION to
3.

3 files changed, 28 insertions, 3 deletions

diff --git a/lang/perl58/Makefile b/lang/perl58/Makefile
index 98b77d76bdf..90aee55a447 100644
--- a/lang/perl58/Makefile
+++ b/lang/perl58/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.74 2005/01/18 00:56:43 jlam Exp $
+# $NetBSD: Makefile,v 1.75 2005/02/02 19:09:52 jlam Exp $
 
 # The following two variables should have empty values unless we're
 # building a perl snapshot or release candidate.
@@ -13,7 +13,7 @@ EXTRACT_SUFX=	.tar.bz2
 .if empty(PERL5_SNAPSHOT) && empty(PERL5_RC_VERS)
 DISTNAME=	perl-${PERL5_VERS}
 PKGNAME=	perl-${PERL5_VERS}
-PKGREVISION=	2
+PKGREVISION=	3
 MASTER_SITES=	${MASTER_SITE_PERL_CPAN:S,/modules/by-module/$,/src/,}
 .else
 .  if !empty(PERL5_SNAPSHOT)
diff --git a/lang/perl58/distinfo b/lang/perl58/distinfo
index 39b66759d8c..fd79c0393b7 100644
--- a/lang/perl58/distinfo
+++ b/lang/perl58/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.28 2005/01/21 20:23:22 tv Exp $
+$NetBSD: distinfo,v 1.29 2005/02/02 19:09:52 jlam Exp $
 
 SHA1 (perl-5.8.6.tar.bz2) = 5267c5b4900a995a10e4fc56fe10a6852004c29b
 Size (perl-5.8.6.tar.bz2) = 9693085 bytes
@@ -8,6 +8,7 @@ SHA1 (patch-ah) = cb103c14090b2d61720ee9b555b32085c8eeb810
 SHA1 (patch-ba) = 74a01f3a86f263720b9f07d1fdbaadbaecafb012
 SHA1 (patch-bd) = 9f96ba1912f2a8db93db31f7a63c0b49a045318d
 SHA1 (patch-be) = 9f667f33ea24300a5580db84d0978ca53f126f29
+SHA1 (patch-bf) = 9bc5690b41a70617cde89b805184a8d5605d20d1
 SHA1 (patch-ca) = 3198a5f49c2a850b1ea1f5c6f0738f45da505924
 SHA1 (patch-cb) = de10a31b699d877cedb3ca849458e10071912972
 SHA1 (patch-cc) = b04ea30ac47ae0748aa6b6c83c8de0396ace349f
diff --git a/lang/perl58/patches/patch-bf b/lang/perl58/patches/patch-bf
new file mode 100644
index 00000000000..cb4dfb2837e
--- /dev/null
+++ b/lang/perl58/patches/patch-bf
@@ -0,0 +1,24 @@
+$NetBSD: patch-bf,v 1.1 2005/02/02 19:09:52 jlam Exp $
+
+--- perlio.c.orig	2004-09-10 03:06:52.000000000 -0400
++++ perlio.c
+@@ -454,7 +454,8 @@ PerlIO_debug(const char *fmt, ...)
+     va_list ap;
+     dSYS;
+     va_start(ap, fmt);
+-    if (!dbg) {
++    /* Tighten uid/gid checks [CAN-2005-0155] */
++    if (!dbg && !PL_tainting && PL_uid == PL_euid && PL_gid == PL_egid) {
+ 	char *s = PerlEnv_getenv("PERLIO_DEBUG");
+ 	if (s && *s)
+ 	    dbg = PerlLIO_open3(s, O_WRONLY | O_CREAT | O_APPEND, 0666);
+@@ -471,7 +472,8 @@ PerlIO_debug(const char *fmt, ...)
+ 	s = CopFILE(PL_curcop);
+ 	if (!s)
+ 	    s = "(none)";
+-	sprintf(buffer, "%s:%" IVdf " ", s, (IV) CopLINE(PL_curcop));
++	/* Avoid PERLIO_DEBUG buffer overflow [CAN-2005-0156] */
++	sprintf(buffer, "%.40s:%" IVdf " ", s, (IV) CopLINE(PL_curcop));
+ 	len = strlen(buffer);
+ 	vsprintf(buffer+len, fmt, ap);
+ 	PerlLIO_write(dbg, buffer, strlen(buffer));