From 5125c6cf8fcd7d74b1691100245dfe99fd5a405e Mon Sep 17 00:00:00 2001 From: Jitka Plesnikova Date: Thu, 14 Dec 2023 16:45:51 +0100 Subject: [PATCH] Resolves: RHEL-9512 - Fix unsafe decoding in indef case --- Convert-ASN1-0.27-CVE-2013-7488.patch | 45 +++++++++++++++++++++++++++ perl-Convert-ASN1.spec | 15 ++++++--- 2 files changed, 56 insertions(+), 4 deletions(-) create mode 100644 Convert-ASN1-0.27-CVE-2013-7488.patch diff --git a/Convert-ASN1-0.27-CVE-2013-7488.patch b/Convert-ASN1-0.27-CVE-2013-7488.patch new file mode 100644 index 0000000..4bc9a6f --- /dev/null +++ b/Convert-ASN1-0.27-CVE-2013-7488.patch @@ -0,0 +1,45 @@ +From ce148a2e0872b708450005cf0b3a944014aae990 Mon Sep 17 00:00:00 2001 +From: Dana Jacobsen +Date: Tue, 29 Oct 2013 08:37:48 -0700 +Subject: [PATCH 1/2] Fix unsafe decoding in indef case + +Bug: https://github.com/gbarr/perl-Convert-ASN1/pull/15 +--- + lib/Convert/ASN1/_decode.pm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Convert/ASN1/_decode.pm b/lib/Convert/ASN1/_decode.pm +index e811e8d..eb2b584 100644 +--- a/lib/Convert/ASN1/_decode.pm ++++ b/lib/Convert/ASN1/_decode.pm +@@ -685,6 +685,7 @@ sub _scan_indef { + if((unpack("C",$tag) & 0x1f) == 0x1f) { + my $b; + do { ++ return if $pos >= $end; + $tag .= substr($_[0],$pos++,1); + $b = ord substr($tag,-1); + } while($b & 0x80); + +From 8125d99e15596fee1b5f904ed74a76bccf54082d Mon Sep 17 00:00:00 2001 +From: Dana Jacobsen +Date: Tue, 29 Oct 2013 08:53:09 -0700 +Subject: [PATCH 2/2] Add second part of position check + +Bug: https://github.com/gbarr/perl-Convert-ASN1/pull/15 +--- + lib/Convert/ASN1/_decode.pm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/Convert/ASN1/_decode.pm b/lib/Convert/ASN1/_decode.pm +index eb2b584..67b95aa 100644 +--- a/lib/Convert/ASN1/_decode.pm ++++ b/lib/Convert/ASN1/_decode.pm +@@ -679,6 +679,7 @@ sub _scan_indef { + $pos += 2; + next; + } ++ return if $pos >= $end; + + my $tag = substr($_[0], $pos++, 1); + diff --git a/perl-Convert-ASN1.spec b/perl-Convert-ASN1.spec index 47bc29b..cdf205d 100644 --- a/perl-Convert-ASN1.spec +++ b/perl-Convert-ASN1.spec @@ -4,7 +4,7 @@ Summary: ASN.1 encode/decode library Name: perl-Convert-ASN1 Version: 0.27 -Release: 17%{?dist} +Release: 18%{?dist} License: GPL+ or Artistic URL: https://metacpan.org/release/Convert-ASN1 Source0: https://cpan.metacpan.org/authors/id/G/GB/GBARR/Convert-ASN1-%{version}.tar.gz @@ -13,6 +13,9 @@ Patch0: Convert-ASN1-0.27-Correct-shebangs-in-tests.patch # Allow running tests from a read-only location, # Patch1: Convert-ASN1-0.27-Use-temporary-output-files-for-tests.patch +# Fix unsafe decoding in indef case, +# +Patch2: Convert-ASN1-0.27-CVE-2013-7488.patch BuildArch: noarch BuildRequires: coreutils BuildRequires: make @@ -72,8 +75,9 @@ with "%{_libexecdir}/%{name}/test". %prep %setup -q -n Convert-ASN1-%{version} -%patch0 -p1 -%patch1 -p1 +%patch -P0 -p1 +%patch -P1 -p1 +%patch -P2 -p1 chmod +x t/*.t %build @@ -86,7 +90,7 @@ mkdir -p %{buildroot}/%{_libexecdir}/%{name} cp -a t %{buildroot}/%{_libexecdir}/%{name} cat > %{buildroot}/%{_libexecdir}/%{name}/test << 'EOF' #!/bin/sh -cd %{_libexecdir}/%{name} && exec prove -I . -j $(getconf _NPROCESSORS_ONLN) +cd %{_libexecdir}/%{name} && exec prove -I . -j "$(getconf _NPROCESSORS_ONLN)" EOF chmod +x %{buildroot}/%{_libexecdir}/%{name}/test %{_fixperms} %{buildroot}/* @@ -105,6 +109,9 @@ make test %{_libexecdir}/%{name} %changelog +* Thu Dec 14 2023 Jitka Plesnikova - 0.27-18 +- Fix unsafe decoding in indef case (CVE-2013-7488) + * Tue Sep 17 2019 Petr Pisar - 0.27-17 - Bump a release to replace the EPEL package (bug #1746898)