From bff7e1b43d439a254d8ddf9bf035616047eb5e57 Mon Sep 17 00:00:00 2001 From: Marcela Mašláňová Date: Dec 22 2009 09:13:49 +0000 Subject: - 547656 CVE-2009-3626 perl: regexp matcher crash on invalid UTF-8 characters - 549306 version::Internals should be packaged in perl-version subpackage --- diff --git a/perl-5.10.1-CVE_2009_3626.patch b/perl-5.10.1-CVE_2009_3626.patch new file mode 100644 index 0000000..bde4dff --- /dev/null +++ b/perl-5.10.1-CVE_2009_3626.patch @@ -0,0 +1,87 @@ +diff -up perl-5.10.1/ext/re/t/regop.t.git perl-5.10.1/ext/re/t/regop.t +--- perl-5.10.1/ext/re/t/regop.t.git 2009-12-21 19:31:07.564141841 +0100 ++++ perl-5.10.1/ext/re/t/regop.t 2009-12-21 19:31:55.158142088 +0100 +@@ -233,12 +233,12 @@ anchored "ABC" at 0 + #Freeing REx: "(\\.COM|\\.EXE|\\.BAT|\\.CMD|\\.VBS|\\.VBE|\\.JS|\\.JSE|\\."...... + %MATCHED% + floating ""$ at 3..4 (checking floating) +-1:1[1] 3:2[1] 5:2[64] 45:83[1] 47:84[1] 48:85[0] +-stclass EXACTF <.> minlen 3 +-Found floating substr ""$ at offset 30... +-Does not contradict STCLASS... +-Guessed: match at offset 26 +-Matching stclass EXACTF <.> against ".exe" ++#1:1[1] 3:2[1] 5:2[64] 45:83[1] 47:84[1] 48:85[0] ++#stclass EXACTF <.> minlen 3 ++#Found floating substr ""$ at offset 30... ++#Does not contradict STCLASS... ++#Guessed: match at offset 26 ++#Matching stclass EXACTF <.> against ".exe" + --- + #Compiling REx "[q]" + #size 12 nodes Got 100 bytes for offset annotations. +@@ -258,4 +258,4 @@ Got 100 bytes for offset annotations. + Offsets: [12] + 1:1[3] 3:4[0] + %MATCHED% +-Freeing REx: "[q]" +\ No newline at end of file ++Freeing REx: "[q]" +diff -up perl-5.10.1/regcomp.c.git perl-5.10.1/regcomp.c +--- perl-5.10.1/regcomp.c.git 2009-12-21 19:32:05.893141719 +0100 ++++ perl-5.10.1/regcomp.c 2009-12-21 19:33:35.106141384 +0100 +@@ -2820,13 +2820,16 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_ + } + } else { + /* +- Currently we assume that the trie can handle unicode and ascii +- matches fold cased matches. If this proves true then the following +- define will prevent tries in this situation. +- +- #define TRIE_TYPE_IS_SAFE (UTF || optype==EXACT) +-*/ ++ Currently we do not believe that the trie logic can ++ handle case insensitive matching properly when the ++ pattern is not unicode (thus forcing unicode semantics). ++ If/when this is fixed the following define can be swapped ++ in below to fully enable trie logic. + #define TRIE_TYPE_IS_SAFE 1 ++ ++*/ ++#define TRIE_TYPE_IS_SAFE (UTF || optype==EXACT) ++ + if ( last && TRIE_TYPE_IS_SAFE ) { + make_trie( pRExC_state, + startbranch, first, cur, tail, count, +diff -up perl-5.10.1/regexec.c.git perl-5.10.1/regexec.c +--- perl-5.10.1/regexec.c.git 2009-12-21 19:33:50.570141632 +0100 ++++ perl-5.10.1/regexec.c 2009-12-21 19:36:41.300142175 +0100 +@@ -1006,16 +1006,15 @@ Perl_re_intuit_start(pTHX_ REGEXP * cons + + #define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uscan, len, \ + uvc, charid, foldlen, foldbuf, uniflags) STMT_START { \ +- UV uvc_unfolded = 0; \ + switch (trie_type) { \ + case trie_utf8_fold: \ + if ( foldlen>0 ) { \ +- uvc_unfolded = uvc = utf8n_to_uvuni( uscan, UTF8_MAXLEN, &len, uniflags ); \ ++ uvc = utf8n_to_uvuni( uscan, UTF8_MAXLEN, &len, uniflags ); \ + foldlen -= len; \ + uscan += len; \ + len=0; \ + } else { \ +- uvc_unfolded = uvc = utf8n_to_uvuni( (U8*)uc, UTF8_MAXLEN, &len, uniflags ); \ ++ uvc = utf8n_to_uvuni( (U8*)uc, UTF8_MAXLEN, &len, uniflags ); \ + uvc = to_uni_fold( uvc, foldbuf, &foldlen ); \ + foldlen -= UNISKIP( uvc ); \ + uscan = foldbuf + UNISKIP( uvc ); \ +@@ -1054,9 +1053,6 @@ uvc, charid, foldlen, foldbuf, uniflags) + charid = (U16)SvIV(*svpp); \ + } \ + } \ +- if (!charid && trie_type == trie_utf8_fold && !UTF) { \ +- charid = trie->charmap[uvc_unfolded]; \ +- } \ + } STMT_END + + #define REXEC_FBC_EXACTISH_CHECK(CoNd) \ diff --git a/perl.spec b/perl.spec index f0fa51b..4c8c1a3 100644 --- a/perl.spec +++ b/perl.spec @@ -7,7 +7,7 @@ Name: perl Version: %{perl_version} -Release: 107%{?dist} +Release: 108%{?dist} Epoch: %{perl_epoch} Summary: Practical Extraction and Report Language Group: Development/Languages @@ -65,6 +65,9 @@ Patch61: perl-much-better-swap-logic.patch # temporarily export debug symbols even though DEBUGGING is not set: Patch62: perl-add-symbols.patch +# CVE_2009_3626 rhbz#547656 +Patch63: perl-5.10.1-CVE_2009_3626.patch + # version macros for some of the modules: %define Archive_Extract_version 0.34 %define Archive_Tar_version 1.52 @@ -918,6 +921,7 @@ upstream tarball from perl.org. %patch58 -p1 %patch61 -p1 %patch62 -p1 +%patch63 -p1 #patch100 -p1 #patch101 -p1 @@ -1854,6 +1858,10 @@ make test # Old changelog entries are preserved in CVS. %changelog +* Tue Dec 22 2009 Marcela Mašláňová - 4:5.10.1-108 +- 547656 CVE-2009-3626 perl: regexp matcher crash on invalid UTF-8 characters +- 549306 version::Internals should be packaged in perl-version subpackage + * Mon Dec 21 2009 Chris Weyl - 4:5.10.1-107 - subpackage parent and Parse-CPAN-Meta; add them to core's dep list