- 547656 CVE-2009-3626 perl: regexp matcher crash on invalid UTF-8

characters
- 549306 version::Internals should be packaged in perl-version subpackage

perl-5.10.1-CVE_2009_3626.patch

@@ -0,0 +1,87 @@
+diff -up perl-5.10.1/ext/re/t/regop.t.git perl-5.10.1/ext/re/t/regop.t
+--- perl-5.10.1/ext/re/t/regop.t.git	2009-12-21 19:31:07.564141841 +0100
++++ perl-5.10.1/ext/re/t/regop.t	2009-12-21 19:31:55.158142088 +0100
+@@ -233,12 +233,12 @@ anchored "ABC" at 0
+ #Freeing REx: "(\\.COM|\\.EXE|\\.BAT|\\.CMD|\\.VBS|\\.VBE|\\.JS|\\.JSE|\\."......
+ %MATCHED%
+ floating ""$ at 3..4 (checking floating)
+-1:1[1] 3:2[1] 5:2[64] 45:83[1] 47:84[1] 48:85[0]
+-stclass EXACTF <.> minlen 3
+-Found floating substr ""$ at offset 30...
+-Does not contradict STCLASS...
+-Guessed: match at offset 26
+-Matching stclass EXACTF <.> against ".exe"
++#1:1[1] 3:2[1] 5:2[64] 45:83[1] 47:84[1] 48:85[0]
++#stclass EXACTF <.> minlen 3
++#Found floating substr ""$ at offset 30...
++#Does not contradict STCLASS...
++#Guessed: match at offset 26
++#Matching stclass EXACTF <.> against ".exe"
+ ---
+ #Compiling REx "[q]"
+ #size 12 nodes Got 100 bytes for offset annotations.
+@@ -258,4 +258,4 @@ Got 100 bytes for offset annotations.
+ Offsets: [12]
+ 1:1[3] 3:4[0]
+ %MATCHED%        
+-Freeing REx: "[q]"
+\ No newline at end of file
++Freeing REx: "[q]"
+diff -up perl-5.10.1/regcomp.c.git perl-5.10.1/regcomp.c
+--- perl-5.10.1/regcomp.c.git	2009-12-21 19:32:05.893141719 +0100
++++ perl-5.10.1/regcomp.c	2009-12-21 19:33:35.106141384 +0100
+@@ -2820,13 +2820,16 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_
+                                 }
+                             } else {
+ /* 
+-    Currently we assume that the trie can handle unicode and ascii
+-    matches fold cased matches. If this proves true then the following
+-    define will prevent tries in this situation. 
+-    
+-    #define TRIE_TYPE_IS_SAFE (UTF || optype==EXACT)
+-*/
++    Currently we do not believe that the trie logic can
++    handle case insensitive matching properly when the
++    pattern is not unicode (thus forcing unicode semantics).
++    If/when this is fixed the following define can be swapped
++    in below to fully enable trie logic.
+ #define TRIE_TYPE_IS_SAFE 1
++
++*/
++#define TRIE_TYPE_IS_SAFE (UTF || optype==EXACT)
++
+                                 if ( last && TRIE_TYPE_IS_SAFE ) {
+                                     make_trie( pRExC_state, 
+                                             startbranch, first, cur, tail, count, 
+diff -up perl-5.10.1/regexec.c.git perl-5.10.1/regexec.c
+--- perl-5.10.1/regexec.c.git	2009-12-21 19:33:50.570141632 +0100
++++ perl-5.10.1/regexec.c	2009-12-21 19:36:41.300142175 +0100
+@@ -1006,16 +1006,15 @@ Perl_re_intuit_start(pTHX_ REGEXP * cons
+ 
+ #define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uscan, len,  \
+ uvc, charid, foldlen, foldbuf, uniflags) STMT_START {                       \
+-    UV uvc_unfolded = 0;						    \
+     switch (trie_type) {                                                    \
+     case trie_utf8_fold:                                                    \
+ 	if ( foldlen>0 ) {                                                  \
+-	    uvc_unfolded = uvc = utf8n_to_uvuni( uscan, UTF8_MAXLEN, &len, uniflags ); \
++	    uvc = utf8n_to_uvuni( uscan, UTF8_MAXLEN, &len, uniflags ); \
+ 	    foldlen -= len;                                                 \
+ 	    uscan += len;                                                   \
+ 	    len=0;                                                          \
+ 	} else {                                                            \
+-	    uvc_unfolded = uvc = utf8n_to_uvuni( (U8*)uc, UTF8_MAXLEN, &len, uniflags ); \
++	    uvc = utf8n_to_uvuni( (U8*)uc, UTF8_MAXLEN, &len, uniflags ); \
+ 	    uvc = to_uni_fold( uvc, foldbuf, &foldlen );                    \
+ 	    foldlen -= UNISKIP( uvc );                                      \
+ 	    uscan = foldbuf + UNISKIP( uvc );                               \
+@@ -1054,9 +1053,6 @@ uvc, charid, foldlen, foldbuf, uniflags)
+ 		charid = (U16)SvIV(*svpp);                                  \
+ 	}                                                                   \
+     }                                                                       \
+-    if (!charid && trie_type == trie_utf8_fold && !UTF) {		    \
+-	charid = trie->charmap[uvc_unfolded];			    	    \
+-    }								    	    \
+ } STMT_END
+ 
+ #define REXEC_FBC_EXACTISH_CHECK(CoNd)                 \

perl.spec

@@ -7,7 +7,7 @@
 
 Name:           perl
 Version:        %{perl_version}
-Release:        107%{?dist}
+Release:        108%{?dist}
 Epoch:          %{perl_epoch}
 Summary:        Practical Extraction and Report Language
 Group:          Development/Languages
@@ -65,6 +65,9 @@ Patch61:	perl-much-better-swap-logic.patch
 # temporarily export debug symbols even though DEBUGGING is not set:
 Patch62:	perl-add-symbols.patch
 
+# CVE_2009_3626 rhbz#547656 
+Patch63:	perl-5.10.1-CVE_2009_3626.patch
+
 # version macros for some of the modules:
 %define			    Archive_Extract_version 0.34
 %define			    Archive_Tar_version 1.52
@@ -918,6 +921,7 @@ upstream tarball from perl.org.
 %patch58 -p1
 %patch61 -p1
 %patch62 -p1
+%patch63 -p1
 
 #patch100 -p1
 #patch101 -p1
@@ -1854,6 +1858,10 @@ make test
 
 # Old changelog entries are preserved in CVS.
 %changelog
+* Tue Dec 22 2009 Marcela Mašláňová <mmaslano@redhat.com> - 4:5.10.1-108
+- 547656 CVE-2009-3626 perl: regexp matcher crash on invalid UTF-8 characters  
+- 549306 version::Internals should be packaged in perl-version subpackage
+
 * Mon Dec 21 2009 Chris Weyl <cweyl@alumni.drew.edu> - 4:5.10.1-107
 - subpackage parent and Parse-CPAN-Meta; add them to core's dep list