From 268fa297e274f9bfc228254df9a1e772c225eb8c Mon Sep 17 00:00:00 2001 From: adam Date: Wed, 3 Apr 2013 09:28:55 +0000 Subject: Changes 5.16.3: This release contains one major and a number of minor security fixes. It fixes a possible vulnerability to a denial-of-service attack by use of a carefully-crafted set of hash keys, a segmentation fault when reading or writing strings greater than 2^31 bytes in size, and a memory leak in Encode.xs's UTF-8 encoding implementation. --- lang/perl5/Makefile | 3 +- lang/perl5/Makefile.common | 4 +- lang/perl5/distinfo | 9 +- lang/perl5/patches/patch-CVE-2013-1667 | 147 --------------------------------- 4 files changed, 7 insertions(+), 156 deletions(-) delete mode 100644 lang/perl5/patches/patch-CVE-2013-1667 (limited to 'lang/perl5') diff --git a/lang/perl5/Makefile b/lang/perl5/Makefile index e92adf9eb94..da4d72dfbd4 100644 --- a/lang/perl5/Makefile +++ b/lang/perl5/Makefile @@ -1,10 +1,9 @@ -# $NetBSD: Makefile,v 1.198 2013/03/08 21:28:18 tez Exp $ +# $NetBSD: Makefile,v 1.199 2013/04/03 09:28:55 adam Exp $ .include "license.mk" .include "Makefile.common" COMMENT= Practical Extraction and Report Language -PKGREVISION= 4 CONFLICTS= perl-base-[0-9]* perl-thread-[0-9]* \ p5-CGI-2.66{,nb*} p5-CGI-2.75{,nb*} p5-CGI-2.75.[0-2] \ diff --git a/lang/perl5/Makefile.common b/lang/perl5/Makefile.common index a7a175c0a3d..3969d8a8a86 100644 --- a/lang/perl5/Makefile.common +++ b/lang/perl5/Makefile.common @@ -1,9 +1,9 @@ -# $NetBSD: Makefile.common,v 1.15 2012/11/04 10:31:46 adam Exp $ +# $NetBSD: Makefile.common,v 1.16 2013/04/03 09:28:55 adam Exp $ # # used by lang/perl5/Makefile # used by databases/p5-gdbm/Makefile -DISTNAME= perl-5.16.2 +DISTNAME= perl-5.16.3 CATEGORIES= lang devel perl5 MASTER_SITES= ${MASTER_SITE_PERL_CPAN:S,/modules/by-module/$,/src/5.0/,} DISTFILES+= ${DISTNAME}${EXTRACT_SUFX} diff --git a/lang/perl5/distinfo b/lang/perl5/distinfo index 2f36cd19282..72089265a11 100644 --- a/lang/perl5/distinfo +++ b/lang/perl5/distinfo @@ -1,9 +1,8 @@ -$NetBSD: distinfo,v 1.96 2013/03/09 03:19:10 obache Exp $ +$NetBSD: distinfo,v 1.97 2013/04/03 09:28:55 adam Exp $ -SHA1 (perl-5.16.2.tar.gz) = 9e20e38e3460ebbac895341fd70a02189d03a490 -RMD160 (perl-5.16.2.tar.gz) = 84f0233ac48059b4636661b023dd8a3389f9ae64 -Size (perl-5.16.2.tar.gz) = 16933974 bytes -SHA1 (patch-CVE-2013-1667) = cabd5bf87301567266715c09483a13745116c6e0 +SHA1 (perl-5.16.3.tar.gz) = 83678adf56d3dc51f47a90444a891f4fe16868da +RMD160 (perl-5.16.3.tar.gz) = e1fe549e5e085c0e089c63d7994d7f11cde059a8 +Size (perl-5.16.3.tar.gz) = 16930885 bytes SHA1 (patch-aa) = 9066746c6e6ed0d58962f52de1ae773e210cfcb5 SHA1 (patch-ab) = ddddf24cfa96c3b95202c2081006e0c7216afa1d SHA1 (patch-ac) = cd918ae7aedddfcd3d555a1d1388c4c8719ccd12 diff --git a/lang/perl5/patches/patch-CVE-2013-1667 b/lang/perl5/patches/patch-CVE-2013-1667 deleted file mode 100644 index 8476a21cc05..00000000000 --- a/lang/perl5/patches/patch-CVE-2013-1667 +++ /dev/null @@ -1,147 +0,0 @@ -$NetBSD: patch-CVE-2013-1667,v 1.1 2013/03/08 21:28:18 tez Exp $ - -Patch for CVE-2013-1667 from -https://bugzilla.redhat.com/show_bug.cgi?id=912276 - ---- ext/Hash-Util-FieldHash/t/10_hash.t -+++ ext/Hash-Util-FieldHash/t/10_hash.t -@@ -38,15 +38,29 @@ use constant START => "a"; - - # some initial hash data - fieldhash my %h2; --%h2 = map {$_ => 1} 'a'..'cc'; -+my $counter= "a"; -+$h2{$counter++}++ while $counter ne 'cd'; - - ok (!Internals::HvREHASH(%h2), - "starting with pre-populated non-pathological hash (rehash flag if off)"); - - my @keys = get_keys(\%h2); -+my $buckets= buckets(\%h2); - $h2{$_}++ for @keys; -+$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split - ok (Internals::HvREHASH(%h2), -- scalar(@keys) . " colliding into the same bucket keys are triggering rehash"); -+ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split"); -+ -+# returns the number of buckets in a hash -+sub buckets { -+ my $hr = shift; -+ my $keys_buckets= scalar(%$hr); -+ if ($keys_buckets=~m!/([0-9]+)\z!) { -+ return 0+$1; -+ } else { -+ return 8; -+ } -+} - - sub get_keys { - my $hr = shift; ---- hv.c -+++ hv.c -@@ -35,7 +35,8 @@ holds the key and hash value. - #define PERL_HASH_INTERNAL_ACCESS - #include "perl.h" - --#define HV_MAX_LENGTH_BEFORE_SPLIT 14 -+#define HV_MAX_LENGTH_BEFORE_REHASH 14 -+#define SHOULD_DO_HSPLIT(xhv) ((xhv)->xhv_keys > (xhv)->xhv_max) /* HvTOTALKEYS(hv) > HvMAX(hv) */ - - static const char S_strtab_error[] - = "Cannot modify shared string table in hv_%s"; -@@ -798,29 +799,9 @@ Perl_hv_common(pTHX_ HV *hv, SV *keysv, const char *key, STRLEN klen, - if (masked_flags & HVhek_ENABLEHVKFLAGS) - HvHASKFLAGS_on(hv); - -- { -- const HE *counter = HeNEXT(entry); -- -- xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ -- if (!counter) { /* initial entry? */ -- } else if (xhv->xhv_keys > xhv->xhv_max) { -- /* Use only the old HvUSEDKEYS(hv) > HvMAX(hv) condition to limit -- bucket splits on a rehashed hash, as we're not going to -- split it again, and if someone is lucky (evil) enough to -- get all the keys in one list they could exhaust our memory -- as we repeatedly double the number of buckets on every -- entry. Linear search feels a less worse thing to do. */ -- hsplit(hv); -- } else if(!HvREHASH(hv)) { -- U32 n_links = 1; -- -- while ((counter = HeNEXT(counter))) -- n_links++; -- -- if (n_links > HV_MAX_LENGTH_BEFORE_SPLIT) { -- hsplit(hv); -- } -- } -+ xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ -+ if ( SHOULD_DO_HSPLIT(xhv) ) { -+ hsplit(hv); - } - - if (return_svp) { -@@ -1197,7 +1178,7 @@ S_hsplit(pTHX_ HV *hv) - - - /* Pick your policy for "hashing isn't working" here: */ -- if (longest_chain <= HV_MAX_LENGTH_BEFORE_SPLIT /* split worked? */ -+ if (longest_chain <= HV_MAX_LENGTH_BEFORE_REHASH /* split worked? */ - || HvREHASH(hv)) { - return; - } -@@ -2782,8 +2763,8 @@ S_share_hek_flags(pTHX_ const char *str, I32 len, register U32 hash, int flags) - - xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ - if (!next) { /* initial entry? */ -- } else if (xhv->xhv_keys > xhv->xhv_max /* HvUSEDKEYS(hv) > HvMAX(hv) */) { -- hsplit(PL_strtab); -+ } else if ( SHOULD_DO_HSPLIT(xhv) ) { -+ hsplit(PL_strtab); - } - } - ---- t/op/hash.t -+++ t/op/hash.t -@@ -39,22 +39,36 @@ use constant THRESHOLD => 14; - use constant START => "a"; - - # some initial hash data --my %h2 = map {$_ => 1} 'a'..'cc'; -+my %h2; -+my $counter= "a"; -+$h2{$counter++}++ while $counter ne 'cd'; - - ok (!Internals::HvREHASH(%h2), - "starting with pre-populated non-pathological hash (rehash flag if off)"); - - my @keys = get_keys(\%h2); -+my $buckets= buckets(\%h2); - $h2{$_}++ for @keys; -+$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split - ok (Internals::HvREHASH(%h2), -- scalar(@keys) . " colliding into the same bucket keys are triggering rehash"); -+ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split"); -+ -+# returns the number of buckets in a hash -+sub buckets { -+ my $hr = shift; -+ my $keys_buckets= scalar(%$hr); -+ if ($keys_buckets=~m!/([0-9]+)\z!) { -+ return 0+$1; -+ } else { -+ return 8; -+ } -+} - - sub get_keys { - my $hr = shift; - - # the minimum of bits required to mount the attack on a hash - my $min_bits = log(THRESHOLD)/log(2); -- - # if the hash has already been populated with a significant amount - # of entries the number of mask bits can be higher - my $keys = scalar keys %$hr; --- -- cgit v1.2.3