Add patch to address CVE-2016-2381

Bump pkgrev

Reviewed by wiz@

3 files changed, 86 insertions, 2 deletions

diff --git a/lang/perl5/Makefile b/lang/perl5/Makefile
index ce616d0285e..7f91138c22f 100644
--- a/lang/perl5/Makefile
+++ b/lang/perl5/Makefile
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.236 2016/01/27 11:22:22 jperkin Exp $
+# $NetBSD: Makefile,v 1.237 2016/04/19 22:14:38 sevan Exp $
 
 .include "license.mk"
 .include "Makefile.common"
 
+PKGREVISION=	1
 COMMENT=	Practical Extraction and Report Language
 
 CONFLICTS+=	perl-base-[0-9]* perl-thread-[0-9]*
diff --git a/lang/perl5/distinfo b/lang/perl5/distinfo
index f4116874919..26ab5324d05 100644
--- a/lang/perl5/distinfo
+++ b/lang/perl5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.133 2016/03/07 21:27:58 kamil Exp $
+$NetBSD: distinfo,v 1.134 2016/04/19 22:14:38 sevan Exp $
 
 SHA1 (perl-5.22.1.tar.bz2) = 29f9b320b0299577a3e1d02e9e8ef8f26f160332
 RMD160 (perl-5.22.1.tar.bz2) = 99e3af98d80ace857da6ce28679a2e35a4360144
@@ -21,5 +21,6 @@ SHA1 (patch-hints_darwin.sh) = bb4ea9e16a1d441388b8e9cdd37a7d757f3f1687
 SHA1 (patch-hints_netbsd.sh) = 0d549a48800372d75fe34b783529a78cba90f646
 SHA1 (patch-hints_sco.sh) = 8d43cdc0632799e1cdb5dc6fdb968052a9ae4216
 SHA1 (patch-hints_solaris__2.sh) = 0e54889648a6f0f2a0232c5e01bef89d245c213d
+SHA1 (patch-perl.c) = 5269fdb22ca3f450603a51d8db6ba7daef496f2f
 SHA1 (patch-ta) = a9d13eeec22733e4087942f217a0d47a19498a6f
 SHA1 (patch-ze) = d6fb718a1417e37a7d6bee1ae89fe2beec51c81b
diff --git a/lang/perl5/patches/patch-perl.c b/lang/perl5/patches/patch-perl.c
new file mode 100644
index 00000000000..833d1ac436a
--- /dev/null
+++ b/lang/perl5/patches/patch-perl.c
@@ -0,0 +1,82 @@
+$NetBSD: patch-perl.c,v 1.1 2016/04/19 22:14:38 sevan Exp $
+
+CVE-2016-2381 - Perl might allow context-dependent attackers to bypass the taint
+protection mechanism in a child process via duplicate environment variables in
+envp.
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2381
+
+--- perl.c.orig	2015-10-17 12:38:38.000000000 +0000
++++ perl.c
+@@ -4298,23 +4298,70 @@ S_init_postdump_symbols(pTHX_ int argc, 
+ 	}
+ 	if (env) {
+ 	  char *s, *old_var;
++          STRLEN nlen;
+ 	  SV *sv;
++          HV *dups = newHV();
++
+ 	  for (; *env; env++) {
+ 	    old_var = *env;
+ 
+ 	    if (!(s = strchr(old_var,'=')) || s == old_var)
+ 		continue;
++            nlen = s - old_var;
+ 
+ #if defined(MSDOS) && !defined(DJGPP)
+ 	    *s = '\0';
+ 	    (void)strupr(old_var);
+ 	    *s = '=';
+ #endif
+-	    sv = newSVpv(s+1, 0);
+-	    (void)hv_store(hv, old_var, s - old_var, sv, 0);
++            if (hv_exists(hv, old_var, nlen)) {
++                const char *name = savepvn(old_var, nlen);
++
++                /* make sure we use the same value as getenv(), otherwise code that
++                   uses getenv() (like setlocale()) might see a different value to %ENV
++                 */
++                sv = newSVpv(PerlEnv_getenv(name), 0);
++
++                /* keep a count of the dups of this name so we can de-dup environ later */
++                if (hv_exists(dups, name, nlen))
++                    ++SvIVX(*hv_fetch(dups, name, nlen, 0));
++                else
++                    (void)hv_store(dups, name, nlen, newSViv(1), 0);
++
++                Safefree(name);
++            }
++            else {
++                sv = newSVpv(s+1, 0);
++            }
++	    (void)hv_store(hv, old_var, nlen, sv, 0);
+ 	    if (env_is_not_environ)
+ 	        mg_set(sv);
+ 	  }
++          if (HvKEYS(dups)) {
++              /* environ has some duplicate definitions, remove them */
++              HE *entry;
++              hv_iterinit(dups);
++              while ((entry = hv_iternext_flags(dups, 0))) {
++                  STRLEN nlen;
++                  const char *name = HePV(entry, nlen);
++                  IV count = SvIV(HeVAL(entry));
++                  IV i;
++                  SV **valp = hv_fetch(hv, name, nlen, 0);
++
++                  assert(valp);
++
++                  /* try to remove any duplicate names, depending on the
++                   * implementation used in my_setenv() the iteration might
++                   * not be necessary, but let's be safe.
++                   */
++                  for (i = 0; i < count; ++i)
++                      my_setenv(name, 0);
++
++                  /* and set it back to the value we set $ENV{name} to */
++                  my_setenv(name, SvPV_nolen(*valp));
++              }
++          }
++          SvREFCNT_dec_NN(dups);
+       }
+ #endif /* USE_ENVIRON_ARRAY */
+ #endif /* !PERL_MICRO */