Minimally invasive fix for CVE-2014-4330, also known as

https://www.lsexperts.de/advisories/lse-2014-06-10.txt,
a stack overflow vulnerability in Data::Dumper

Patches taken from
http://perl5.git.perl.org/perl.git/commitdiff/19be3be6968e2337bcdfe480693fff795ecd1304,
to be removed when updating to 5.20.1 (or later).

perl-5.20.0nb2 is fit for pkg_add -u replacement of perl-5.20.0nb1

4 files changed, 193 insertions, 3 deletions

diff --git a/lang/perl5/Makefile b/lang/perl5/Makefile
index 0779d7ac090..1adc521d61f 100644
--- a/lang/perl5/Makefile
+++ b/lang/perl5/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.229 2014/07/05 05:10:48 richard Exp $
+# $NetBSD: Makefile,v 1.230 2014/09/29 11:36:01 spz Exp $
 
 .include "license.mk"
 .include "Makefile.common"
 
-PKGREVISION=	1
+PKGREVISION=	2
 COMMENT=	Practical Extraction and Report Language
 
 CONFLICTS+=	perl-base-[0-9]* perl-thread-[0-9]*
diff --git a/lang/perl5/distinfo b/lang/perl5/distinfo
index 39783ac4bd2..88f9d050a8f 100644
--- a/lang/perl5/distinfo
+++ b/lang/perl5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.122 2014/08/12 05:41:39 mrg Exp $
+$NetBSD: distinfo,v 1.123 2014/09/29 11:36:01 spz Exp $
 
 SHA1 (perl-5.20.0.tar.bz2) = e925e4fc36e90eace19a1ca850f912618ba6788f
 RMD160 (perl-5.20.0.tar.bz2) = a14fa854f2d50aa5f16ff3a982244dd6cd0c4730
@@ -14,6 +14,8 @@ SHA1 (patch-ch) = 5b6a89c82e158bab0a5f06add48c28e600678099
 SHA1 (patch-ck) = 5c381db130cdf4c315678e2d65380eaaa3065fee
 SHA1 (patch-cn) = d1877383e213a414562b5bb4c1e8aa785926fab7
 SHA1 (patch-cpan_Socket_Socket.xs) = 9390c42ad456b0ea114c2e57e4d829d630fb698e
+SHA1 (patch-dist_Data-Dumper_Dumper.pm) = 27f9bb4084aa0b21b05bd10d850942b978f7f821
+SHA1 (patch-dist_Data-Dumper_Dumper.xs) = 2e3384973a70b46f8f9ed72c0e9966e00fcbd8af
 SHA1 (patch-ext_Errno_Errno__pm.PL) = 4f135e267da17de38f8f1e7e03d5209bfd09a323
 SHA1 (patch-hints_cygwin.sh) = 1b21d927d6b7379754c4cd64a2b05d3632c35470
 SHA1 (patch-hints_darwin.sh) = c561d1862f8ca76652a35741c691394eb8cda70a
diff --git a/lang/perl5/patches/patch-dist_Data-Dumper_Dumper.pm b/lang/perl5/patches/patch-dist_Data-Dumper_Dumper.pm
new file mode 100644
index 00000000000..ef93d97411a
--- /dev/null
+++ b/lang/perl5/patches/patch-dist_Data-Dumper_Dumper.pm
@@ -0,0 +1,65 @@
+$NetBSD: patch-dist_Data-Dumper_Dumper.pm,v 1.1 2014/09/29 11:36:01 spz Exp $
+
+patch for CVE-2014-4330, remove for 5.20.1
+taken from http://perl5.git.perl.org/perl.git/commitdiff/19be3be6968e2337bcdfe480693fff795ecd1304
+
+--- dist/Data-Dumper/Dumper.pm.orig	2014-05-26 13:34:19.000000000 +0000
++++ dist/Data-Dumper/Dumper.pm
+@@ -56,6 +56,7 @@ $Useperl    = 0         unless defined $
+ $Sortkeys   = 0         unless defined $Sortkeys;
+ $Deparse    = 0         unless defined $Deparse;
+ $Sparseseen = 0         unless defined $Sparseseen;
++$Maxrecurse = 1000      unless defined $Maxrecurse;
+ 
+ #
+ # expects an arrayref of values to be dumped.
+@@ -92,6 +93,7 @@ sub new {
+         'bless'    => $Bless,    # keyword to use for "bless"
+ #        expdepth   => $Expdepth,   # cutoff depth for explicit dumping
+         maxdepth   => $Maxdepth,   # depth beyond which we give up
++	maxrecurse => $Maxrecurse, # depth beyond which we abort
+         useperl    => $Useperl,    # use the pure Perl implementation
+         sortkeys   => $Sortkeys,   # flag or filter for sorting hash keys
+         deparse    => $Deparse,    # use B::Deparse for coderefs
+@@ -350,6 +352,12 @@ sub _dump {
+       return qq['$val'];
+     }
+ 
++    # avoid recursing infinitely [perl #122111]
++    if ($s->{maxrecurse} > 0
++        and $s->{level} >= $s->{maxrecurse}) {
++        die "Recursion limit of $s->{maxrecurse} exceeded";
++    }
++
+     # we have a blessed ref
+     my ($blesspad);
+     if ($realpack and !$no_bless) {
+@@ -680,6 +688,11 @@ sub Maxdepth {
+   defined($v) ? (($s->{'maxdepth'} = $v), return $s) : $s->{'maxdepth'};
+ }
+ 
++sub Maxrecurse {
++  my($s, $v) = @_;
++  defined($v) ? (($s->{'maxrecurse'} = $v), return $s) : $s->{'maxrecurse'};
++}
++
+ sub Useperl {
+   my($s, $v) = @_;
+   defined($v) ? (($s->{'useperl'} = $v), return $s) : $s->{'useperl'};
+@@ -1105,6 +1118,16 @@ no maximum depth.
+ 
+ =item *
+ 
++$Data::Dumper::Maxrecurse  I<or>  $I<OBJ>->Maxrecurse(I<[NEWVAL]>)
++
++Can be set to a positive integer that specifies the depth beyond which
++recursion into a structure will throw an exception.  This is intended
++as a security measure to prevent perl running out of stack space when
++dumping an excessively deep structure.  Can be set to 0 to remove the
++limit.  Default is 1000.
++
++=item *
++
+ $Data::Dumper::Useperl  I<or>  $I<OBJ>->Useperl(I<[NEWVAL]>)
+ 
+ Can be set to a boolean value which controls whether the pure Perl
diff --git a/lang/perl5/patches/patch-dist_Data-Dumper_Dumper.xs b/lang/perl5/patches/patch-dist_Data-Dumper_Dumper.xs
new file mode 100644
index 00000000000..99bcbb15156
--- /dev/null
+++ b/lang/perl5/patches/patch-dist_Data-Dumper_Dumper.xs
@@ -0,0 +1,123 @@
+$NetBSD: patch-dist_Data-Dumper_Dumper.xs,v 1.1 2014/09/29 11:36:01 spz Exp $
+
+patch for CVE-2014-4330, remove for 5.20.1
+taken from http://perl5.git.perl.org/perl.git/commitdiff/19be3be6968e2337bcdfe480693fff795ecd1304
+
+--- dist/Data-Dumper/Dumper.xs.orig	2014-05-26 13:34:19.000000000 +0000
++++ dist/Data-Dumper/Dumper.xs
+@@ -28,7 +28,7 @@ static I32 DD_dump (pTHX_ SV *val, const
+ 		    SV *pad, SV *xpad, SV *apad, SV *sep, SV *pair,
+ 		    SV *freezer, SV *toaster,
+ 		    I32 purity, I32 deepcopy, I32 quotekeys, SV *bless,
+-		    I32 maxdepth, SV *sortkeys, int use_sparse_seen_hash, I32 useqq);
++		    I32 maxdepth, SV *sortkeys, int use_sparse_seen_hash, I32 useqq, IV maxrecurse);
+ 
+ #ifndef HvNAME_get
+ #define HvNAME_get HvNAME
+@@ -412,7 +412,7 @@ DD_dump(pTHX_ SV *val, const char *name,
+ 	AV *postav, I32 *levelp, I32 indent, SV *pad, SV *xpad,
+ 	SV *apad, SV *sep, SV *pair, SV *freezer, SV *toaster, I32 purity,
+ 	I32 deepcopy, I32 quotekeys, SV *bless, I32 maxdepth, SV *sortkeys,
+-        int use_sparse_seen_hash, I32 useqq)
++        int use_sparse_seen_hash, I32 useqq, IV maxrecurse)
+ {
+     char tmpbuf[128];
+     Size_t i;
+@@ -589,6 +589,10 @@ DD_dump(pTHX_ SV *val, const char *name,
+ 	    return 1;
+ 	}
+ 
++	if (maxrecurse > 0 && *levelp >= maxrecurse) {
++	    croak("Recursion limit of %" IVdf " exceeded", maxrecurse);
++	}
++
+ 	if (realpack && !no_bless) {				/* we have a blessed ref */
+ 	    STRLEN blesslen;
+ 	    const char * const blessstr = SvPV(bless, blesslen);
+@@ -674,7 +678,8 @@ DD_dump(pTHX_ SV *val, const char *name,
+ 		DD_dump(aTHX_ ival, SvPVX_const(namesv), SvCUR(namesv), retval, seenhv,
+ 			postav, levelp,	indent, pad, xpad, apad, sep, pair,
+ 			freezer, toaster, purity, deepcopy, quotekeys, bless,
+-			maxdepth, sortkeys, use_sparse_seen_hash, useqq);
++			maxdepth, sortkeys, use_sparse_seen_hash, useqq,
++			maxrecurse);
+ 		sv_catpvn(retval, ")}", 2);
+ 	    }						     /* plain */
+ 	    else {
+@@ -682,7 +687,8 @@ DD_dump(pTHX_ SV *val, const char *name,
+ 		DD_dump(aTHX_ ival, SvPVX_const(namesv), SvCUR(namesv), retval, seenhv,
+ 			postav, levelp,	indent, pad, xpad, apad, sep, pair,
+ 			freezer, toaster, purity, deepcopy, quotekeys, bless,
+-			maxdepth, sortkeys, use_sparse_seen_hash, useqq);
++			maxdepth, sortkeys, use_sparse_seen_hash, useqq,
++			maxrecurse);
+ 	    }
+ 	    SvREFCNT_dec(namesv);
+ 	}
+@@ -694,7 +700,8 @@ DD_dump(pTHX_ SV *val, const char *name,
+ 	    DD_dump(aTHX_ ival, SvPVX_const(namesv), SvCUR(namesv), retval, seenhv,
+ 		    postav, levelp,	indent, pad, xpad, apad, sep, pair,
+ 		    freezer, toaster, purity, deepcopy, quotekeys, bless,
+-		    maxdepth, sortkeys, use_sparse_seen_hash, useqq);
++		    maxdepth, sortkeys, use_sparse_seen_hash, useqq,
++		    maxrecurse);
+ 	    SvREFCNT_dec(namesv);
+ 	}
+ 	else if (realtype == SVt_PVAV) {
+@@ -767,7 +774,8 @@ DD_dump(pTHX_ SV *val, const char *name,
+ 		DD_dump(aTHX_ elem, iname, ilen, retval, seenhv, postav,
+ 			levelp,	indent, pad, xpad, apad, sep, pair,
+ 			freezer, toaster, purity, deepcopy, quotekeys, bless,
+-			maxdepth, sortkeys, use_sparse_seen_hash, useqq);
++			maxdepth, sortkeys, use_sparse_seen_hash, useqq,
++			maxrecurse);
+ 		if (ix < ixmax)
+ 		    sv_catpvn(retval, ",", 1);
+ 	    }
+@@ -970,7 +978,8 @@ DD_dump(pTHX_ SV *val, const char *name,
+ 		DD_dump(aTHX_ hval, SvPVX_const(sname), SvCUR(sname), retval, seenhv,
+ 			postav, levelp,	indent, pad, xpad, newapad, sep, pair,
+ 			freezer, toaster, purity, deepcopy, quotekeys, bless,
+-			maxdepth, sortkeys, use_sparse_seen_hash, useqq);
++			maxdepth, sortkeys, use_sparse_seen_hash, useqq,
++			maxrecurse);
+ 		SvREFCNT_dec(sname);
+ 		Safefree(nkey_buffer);
+ 		if (indent >= 2)
+@@ -1179,7 +1188,8 @@ DD_dump(pTHX_ SV *val, const char *name,
+ 				seenhv, postav, &nlevel, indent, pad, xpad,
+ 				newapad, sep, pair, freezer, toaster, purity,
+ 				deepcopy, quotekeys, bless, maxdepth, 
+-				sortkeys, use_sparse_seen_hash, useqq);
++				sortkeys, use_sparse_seen_hash, useqq,
++				maxrecurse);
+ 			SvREFCNT_dec(e);
+ 		    }
+ 		}
+@@ -1269,6 +1279,7 @@ Data_Dumper_Dumpxs(href, ...)
+ 	    SV *val, *name, *pad, *xpad, *apad, *sep, *pair, *varname;
+ 	    SV *freezer, *toaster, *bless, *sortkeys;
+ 	    I32 purity, deepcopy, quotekeys, maxdepth = 0;
++	    IV maxrecurse = 1000;
+ 	    char tmpbuf[1024];
+ 	    I32 gimme = GIMME;
+             int use_sparse_seen_hash = 0;
+@@ -1355,6 +1366,8 @@ Data_Dumper_Dumpxs(href, ...)
+ 		    bless = *svp;
+ 		if ((svp = hv_fetch(hv, "maxdepth", 8, FALSE)))
+ 		    maxdepth = SvIV(*svp);
++		if ((svp = hv_fetch(hv, "maxrecurse", 10, FALSE)))
++		    maxrecurse = SvIV(*svp);
+ 		if ((svp = hv_fetch(hv, "sortkeys", 8, FALSE))) {
+ 		    sortkeys = *svp;
+ 		    if (! SvTRUE(sortkeys))
+@@ -1434,7 +1447,8 @@ Data_Dumper_Dumpxs(href, ...)
+ 		    DD_dump(aTHX_ val, SvPVX_const(name), SvCUR(name), valstr, seenhv,
+ 			    postav, &level, indent, pad, xpad, newapad, sep, pair,
+ 			    freezer, toaster, purity, deepcopy, quotekeys,
+-			    bless, maxdepth, sortkeys, use_sparse_seen_hash, useqq);
++			    bless, maxdepth, sortkeys, use_sparse_seen_hash, useqq,
++			    maxrecurse);
+ 		    SPAGAIN;
+ 		
+ 		    if (indent >= 2 && !terse)