Fix CVE-2012-6329

2013-01-11 13:42:11 +01:00 · 2013-01-11 13:42:11 +01:00 · add42744d7
commit add42744d7
parent 3d3077a686
2 changed files with 90 additions and 1 deletions
--- a/perl-5.17.6-Fix-misparsing-of-maketext-strings.patch
+++ b/perl-5.17.6-Fix-misparsing-of-maketext-strings.patch
@ -0,0 +1,81 @@
+From 1735f6f53ca19f99c6e9e39496c486af323ba6a8 Mon Sep 17 00:00:00 2001
+From: Brian Carlson <brian.carlson@cpanel.net>
+Date: Wed, 28 Nov 2012 08:54:33 -0500
+Subject: [PATCH] Fix misparsing of maketext strings.
+
+Case 61251: This commit fixes a misparse of maketext strings that could
+lead to arbitrary code execution.  Basically, maketext was compiling
+bracket notation into functions, but neglected to escape backslashes
+inside the content or die on fully-qualified method names when
+generating the code.  This change escapes all such backslashes and dies
+when a method name with a colon or apostrophe is specified.
+---
+ AUTHORS                                     |  1 +
+ dist/Locale-Maketext/lib/Locale/Maketext.pm | 24 ++++++++----------------
+ 2 files changed, 9 insertions(+), 16 deletions(-)
+
+diff --git a/AUTHORS b/AUTHORS
+index 70734b0..009dea0 100644
+--- a/AUTHORS
+++ b/AUTHORS
+@@ -154,6 +154,7 @@ Breno G. de Oliveira		<garu@cpan.org>
+ Brent Dax			<brentdax@cpan.org>
+ Brooks D Boyd
+ Brian Callaghan			<callagh@itginc.com>
+Brian Carlson			<brian.carlson@cpanel.net>
+ Brian Clarke			<clarke@appliedmeta.com>
+ brian d foy			<brian.d.foy@gmail.com>
+ Brian Fraser			<fraserbn@gmail.com>
+diff --git a/dist/Locale-Maketext/lib/Locale/Maketext.pm b/dist/Locale-Maketext/lib/Locale/Maketext.pm
+index 4822027..63e5fba 100644
+--- a/dist/Locale-Maketext/lib/Locale/Maketext.pm
+++ b/dist/Locale-Maketext/lib/Locale/Maketext.pm
+@@ -625,21 +625,9 @@ sub _compile {
+                         # 0-length method name means to just interpolate:
+                         push @code, ' (';
+                     }
+-                    elsif($m =~ /^\w+(?:\:\:\w+)*$/s
+-                            and $m !~ m/(?:^|\:)\d/s
+-                        # exclude starting a (sub)package or symbol with a digit
+                    elsif($m =~ /^\w+$/s
+                        # exclude anything fancy, especially fully-qualified module names
+                     ) {
+-                        # Yes, it even supports the demented (and undocumented?)
+-                        #  $obj->Foo::bar(...) syntax.
+-                        $target->_die_pointing(
+-                            $string_to_compile, q{Can't use "SUPER::" in a bracket-group method},
+-                            2 + length($c[-1])
+-                        )
+-                        if $m =~ m/^SUPER::/s;
+-                        # Because for SUPER:: to work, we'd have to compile this into
+-                        #  the right package, and that seems just not worth the bother,
+-                        #  unless someone convinces me otherwise.
+-
+                         push @code, ' $_[0]->' . $m . '(';
+                     }
+                     else {
+@@ -693,7 +681,9 @@ sub _compile {
+             elsif(substr($1,0,1) ne '~') {
+                 # it's stuff not containing "~" or "[" or "]"
+                 # i.e., a literal blob
+-                $c[-1] .= $1;
+                my $text = $1;
+                $text =~ s/\\/\\\\/g;
+                $c[-1] .= $text;
+ 
+             }
+             elsif($1 eq '~~') { # "~~"
+@@ -731,7 +721,9 @@ sub _compile {
+             else {
+                 # It's a "~X" where X is not a special character.
+                 # Consider it a literal ~ and X.
+-                $c[-1] .= $1;
+                my $text = $1;
+                $text =~ s/\\/\\\\/g;
+                $c[-1] .= $text;
+             }
+         }
+     }
+-- 
+1.7.11.7
+
--- a/perl.spec
+++ b/perl.spec
@ -29,7 +29,7 @@
 Name:           perl
 Version:        %{perl_version}
 # release number must be even higher, because dual-lived modules will be broken otherwise
-Release:        245%{?dist}
+Release:        246%{?dist}
 Epoch:          %{perl_epoch}
 Summary:        Practical Extraction and Report Language
 Group:          Development/Languages
@ -109,6 +109,9 @@ Patch18:        perl-5.16.1-perl-114984-Glob.xs-Extend-stack-when-returning.patc
 # Do not crash when vivifying $|, rhbz#865296, RT#115206
 Patch19:        perl-5.16.1-perl-115206-Don-t-crash-when-vivifying.patch

+# Fix CVE-2012-6329, rhbz#884354
+Patch20:        perl-5.17.6-Fix-misparsing-of-maketext-strings.patch
+
 # Update some of the bundled modules
 # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions

@ -1381,6 +1384,7 @@ tarball from perl.org.
 %patch17 -p1
 %patch18 -p1
 %patch19 -p1
+%patch20 -p1

 #copy the example script
 cp -a %{SOURCE5} .
@ -1591,6 +1595,7 @@ pushd %{build_archlib}/CORE/
    'Fedora Patch17: Allow operator after numeric keyword argument (RT#105924)' \
    'Fedora Patch18: Extend stack in File::Glob::glob, (RT#114984)' \
    'Fedora Patch19: Do not crash when vivifying $|' \
+    'Fedora Patch20: Fix misparsing of maketext strings (CVE-2012-6329)' \
    %{nil}

 rm patchlevel.bak
@ -2745,6 +2750,9 @@ sed \

 # Old changelog entries are preserved in CVS.
 %changelog
+* Fri Jan 11 2013 Petr Pisar <ppisar@redhat.com> - 4:5.16.2-246
+- Fix CVE-2012-6329 (misparsing of maketext strings) (bug #884354)
+
 * Thu Jan 10 2013 Petr Pisar <ppisar@redhat.com> - 4:5.16.2-245
 - Do not package App::Cpan(3pm) to perl-Test-Harness (bug #893768)