diff --git a/perl-5.31.0-PATCH-perl-134134-read-beyond-end-of-buffer.patch b/perl-5.31.0-PATCH-perl-134134-read-beyond-end-of-buffer.patch new file mode 100644 index 0000000..3132285 --- /dev/null +++ b/perl-5.31.0-PATCH-perl-134134-read-beyond-end-of-buffer.patch @@ -0,0 +1,41 @@ +From 2d26cf4aed90a77ac5e93ddec29770756027b788 Mon Sep 17 00:00:00 2001 +From: Karl Williamson +Date: Fri, 24 May 2019 09:15:59 -0600 +Subject: [PATCH] PATCH: [perl #134134] read beyond end of buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This turns out to be because of a special input case in myatof3(), +wherein if the input length is 0, it call strlen to find the length. + +The solution is to add a test and not call the function unless the +length is positive. + +Signed-off-by: Petr Písař +--- + regcomp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/regcomp.c b/regcomp.c +index 9bd6dd3739..3ad09c52b2 100644 +--- a/regcomp.c ++++ b/regcomp.c +@@ -23428,10 +23428,12 @@ Perl_parse_uniprop_string(pTHX_ + * NV. */ + + NV value; ++ SSize_t value_len = lookup_len - equals_pos; + + /* Get the value */ +- if (my_atof3(lookup_name + equals_pos, &value, +- lookup_len - equals_pos) ++ if ( value_len <= 0 ++ || my_atof3(lookup_name + equals_pos, &value, ++ value_len) + != lookup_name + lookup_len) + { + goto failed; +-- +2.20.1 + diff --git a/perl.spec b/perl.spec index 6589ccd..c2415db 100644 --- a/perl.spec +++ b/perl.spec @@ -83,7 +83,7 @@ License: GPL+ or Artistic Epoch: %{perl_epoch} Version: %{perl_version} # release number must be even higher, because dual-lived modules will be broken otherwise -Release: 439%{?dist} +Release: 440%{?dist} Summary: Practical Extraction and Report Language Url: https://www.perl.org/ Source0: https://www.cpan.org/src/5.0/perl-%{perl_version}.tar.xz @@ -147,6 +147,10 @@ Patch12: perl-5.27.8-hints-linux-Add-lphtread-to-lddlflags.patch # Pass the correct CFLAGS to dtrace Patch13: perl-5.28.0-Pass-CFLAGS-to-dtrace.patch +# Fix an out-of-buffer read while parsing a Unicode property name, RT#134134, +# fixed after 5.31.0 +Patch14: perl-5.31.0-PATCH-perl-134134-read-beyond-end-of-buffer.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2678,6 +2682,7 @@ Perl extension for Version Objects %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 %patch200 -p1 %patch201 -p1 @@ -2698,6 +2703,7 @@ perl -x patchlevel.h \ 'Fedora Patch11: Replace EU::MakeMaker dependency with EU::MM::Utils in IPC::Cmd (bug #1129443)' \ 'Fedora Patch12: Link XS modules to pthread library to fix linking with -z defs' \ 'Fedora Patch13: Pass the correct CFLAGS to dtrace' \ + 'Fedora Patch14: Fix an out-of-buffer read while parsing a Unicode property name (RT#134134)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -4943,6 +4949,9 @@ popd # Old changelog entries are preserved in CVS. %changelog +* Tue Jun 25 2019 Petr Pisar - 4:5.30.0-440 +- Fix an out-of-buffer read while parsing a Unicode property name (RT#134134) + * Tue Jun 11 2019 Jitka Plesnikova - 4:5.30.0-439 - Define %%perl_vendor*, %%perl_archlib, %%perl_privlib, because in rpm 4.15 those are no longer defined