From ccef258de2722d2bcd00cafd0207c7909760eb86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Thu, 14 Mar 2013 17:15:58 +0100 Subject: [PATCH] 5.16.3 bump --- .gitignore | 1 + ...ble-with-XS-APItest-t-clone-with-sta.patch | 56 ------ perl-5.16.2-CVE-2013-1667.patch | 170 ------------------ perl.spec | 29 ++- sources | 6 +- 5 files changed, 14 insertions(+), 248 deletions(-) delete mode 100644 perl-5.16.1-perl-111610-Trouble-with-XS-APItest-t-clone-with-sta.patch delete mode 100644 perl-5.16.2-CVE-2013-1667.patch diff --git a/.gitignore b/.gitignore index 88ffbb4..78e5ce4 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ filter-requires.sh /perl-5.16.1-228.fc19.src.rpm /perl-5.16.1.tar.gz /perl-5.16.2.tar.gz +/perl-5.16.3.tar.bz2 diff --git a/perl-5.16.1-perl-111610-Trouble-with-XS-APItest-t-clone-with-sta.patch b/perl-5.16.1-perl-111610-Trouble-with-XS-APItest-t-clone-with-sta.patch deleted file mode 100644 index f3d9fda..0000000 --- a/perl-5.16.1-perl-111610-Trouble-with-XS-APItest-t-clone-with-sta.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 4a808ed163df1057031bc6d085300fe1ef6f57d2 Mon Sep 17 00:00:00 2001 -From: Michael Schroeder -Date: Fri, 8 Jun 2012 20:29:54 -0700 -Subject: [PATCH] [perl #111610] Trouble with XS-APItest/t/clone-with-stack.t - -I ran into a bit of a problem when building perl-5.16.0. -'make test' showed a segfault in ext/XS-APItest/t/clone-with-stack.t. -It seems to be caused by accessing already freed memory, it -segfaults because I have MALLOC_PERTUBE_ set, thus glibc fills -freed memory with some value. - -Digging deeper, it seems like perl_clone() does not fix -the cx's blk_oldcop element when doing context cloning, thus -blk_oldcop still points to PL_compiling in the old interp--the -calling scope for the BEGIN block being the compilation of the -code surrounding it--and the POPBLOCK done in leavesub will copy -the data from the old interp to PL_curcop. - -After fixing this, it still crashed because interp_dup->Iop was -zero after the runops_standard() call (which is probably -correct as the end of the BEGIN block was reached). So I -also added an if statement that checks the pointer. ---- - ext/XS-APItest/APItest.xs | 3 ++- - sv.c | 1 + - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/ext/XS-APItest/APItest.xs b/ext/XS-APItest/APItest.xs -index 2c0ee61..69b7066 100644 ---- a/ext/XS-APItest/APItest.xs -+++ b/ext/XS-APItest/APItest.xs -@@ -3084,7 +3084,8 @@ CODE: - PERL_SET_CONTEXT(interp_dup); - - /* continue after 'clone_with_stack' */ -- interp_dup->Iop = interp_dup->Iop->op_next; -+ if (interp_dup->Iop) -+ interp_dup->Iop = interp_dup->Iop->op_next; - - /* run with new perl */ - Perl_runops_standard(interp_dup); -diff --git a/sv.c b/sv.c -index 2034c00..fcd76a9 100644 ---- a/sv.c -+++ b/sv.c -@@ -12312,6 +12312,7 @@ Perl_cx_dup(pTHX_ PERL_CONTEXT *cxs, I32 ix, I32 max, CLONE_PARAMS* param) - Perl_croak(aTHX_ "Cloning substitution context is unimplemented"); - } - else { -+ ncx->blk_oldcop = (COP*)any_dup(ncx->blk_oldcop, param->proto_perl); - switch (CxTYPE(ncx)) { - case CXt_SUB: - ncx->blk_sub.cv = (ncx->blk_sub.olddepth == 0 --- -1.7.11.4 - diff --git a/perl-5.16.2-CVE-2013-1667.patch b/perl-5.16.2-CVE-2013-1667.patch deleted file mode 100644 index 61ed14b..0000000 --- a/perl-5.16.2-CVE-2013-1667.patch +++ /dev/null @@ -1,170 +0,0 @@ -From 6e79fe5714a72b1ef86dc890ff60746cdd19f854 Mon Sep 17 00:00:00 2001 -From: Yves Orton -Date: Tue, 12 Feb 2013 10:53:05 +0100 -Subject: [PATCH] Prevent premature hsplit() calls, and only trigger REHASH - after hsplit() - -Triggering a hsplit due to long chain length allows an attacker -to create a carefully chosen set of keys which can cause the hash -to use 2 * (2**32) * sizeof(void *) bytes ram. AKA a DOS via memory -exhaustion. Doing so also takes non trivial time. - -Eliminating this check, and only inspecting chain length after a -normal hsplit() (triggered when keys>buckets) prevents the attack -entirely, and makes such attacks relatively benign. ---- - ext/Hash-Util-FieldHash/t/10_hash.t | 18 ++++++++++++++++-- - hv.c | 35 ++++++++--------------------------- - t/op/hash.t | 20 +++++++++++++++++--- - 3 files changed, 41 insertions(+), 32 deletions(-) - -diff --git a/ext/Hash-Util-FieldHash/t/10_hash.t b/ext/Hash-Util-FieldHash/t/10_hash.t -index 2cfb4e8..d58f053 100644 ---- a/ext/Hash-Util-FieldHash/t/10_hash.t -+++ b/ext/Hash-Util-FieldHash/t/10_hash.t -@@ -38,15 +38,29 @@ use constant START => "a"; - - # some initial hash data - fieldhash my %h2; --%h2 = map {$_ => 1} 'a'..'cc'; -+my $counter= "a"; -+$h2{$counter++}++ while $counter ne 'cd'; - - ok (!Internals::HvREHASH(%h2), - "starting with pre-populated non-pathological hash (rehash flag if off)"); - - my @keys = get_keys(\%h2); -+my $buckets= buckets(\%h2); - $h2{$_}++ for @keys; -+$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split - ok (Internals::HvREHASH(%h2), -- scalar(@keys) . " colliding into the same bucket keys are triggering rehash"); -+ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split"); -+ -+# returns the number of buckets in a hash -+sub buckets { -+ my $hr = shift; -+ my $keys_buckets= scalar(%$hr); -+ if ($keys_buckets=~m!/([0-9]+)\z!) { -+ return 0+$1; -+ } else { -+ return 8; -+ } -+} - - sub get_keys { - my $hr = shift; -diff --git a/hv.c b/hv.c -index 6b66251..a031703 100644 ---- a/hv.c -+++ b/hv.c -@@ -35,7 +35,8 @@ holds the key and hash value. - #define PERL_HASH_INTERNAL_ACCESS - #include "perl.h" - --#define HV_MAX_LENGTH_BEFORE_SPLIT 14 -+#define HV_MAX_LENGTH_BEFORE_REHASH 14 -+#define SHOULD_DO_HSPLIT(xhv) ((xhv)->xhv_keys > (xhv)->xhv_max) /* HvTOTALKEYS(hv) > HvMAX(hv) */ - - static const char S_strtab_error[] - = "Cannot modify shared string table in hv_%s"; -@@ -798,29 +799,9 @@ Perl_hv_common(pTHX_ HV *hv, SV *keysv, const char *key, STRLEN klen, - if (masked_flags & HVhek_ENABLEHVKFLAGS) - HvHASKFLAGS_on(hv); - -- { -- const HE *counter = HeNEXT(entry); -- -- xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ -- if (!counter) { /* initial entry? */ -- } else if (xhv->xhv_keys > xhv->xhv_max) { -- /* Use only the old HvUSEDKEYS(hv) > HvMAX(hv) condition to limit -- bucket splits on a rehashed hash, as we're not going to -- split it again, and if someone is lucky (evil) enough to -- get all the keys in one list they could exhaust our memory -- as we repeatedly double the number of buckets on every -- entry. Linear search feels a less worse thing to do. */ -- hsplit(hv); -- } else if(!HvREHASH(hv)) { -- U32 n_links = 1; -- -- while ((counter = HeNEXT(counter))) -- n_links++; -- -- if (n_links > HV_MAX_LENGTH_BEFORE_SPLIT) { -- hsplit(hv); -- } -- } -+ xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ -+ if ( SHOULD_DO_HSPLIT(xhv) ) { -+ hsplit(hv); - } - - if (return_svp) { -@@ -1197,7 +1178,7 @@ S_hsplit(pTHX_ HV *hv) - - - /* Pick your policy for "hashing isn't working" here: */ -- if (longest_chain <= HV_MAX_LENGTH_BEFORE_SPLIT /* split worked? */ -+ if (longest_chain <= HV_MAX_LENGTH_BEFORE_REHASH /* split worked? */ - || HvREHASH(hv)) { - return; - } -@@ -2782,8 +2763,8 @@ S_share_hek_flags(pTHX_ const char *str, I32 len, register U32 hash, int flags) - - xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ - if (!next) { /* initial entry? */ -- } else if (xhv->xhv_keys > xhv->xhv_max /* HvUSEDKEYS(hv) > HvMAX(hv) */) { -- hsplit(PL_strtab); -+ } else if ( SHOULD_DO_HSPLIT(xhv) ) { -+ hsplit(PL_strtab); - } - } - -diff --git a/t/op/hash.t b/t/op/hash.t -index ef757a3..97eb81b 100644 ---- a/t/op/hash.t -+++ b/t/op/hash.t -@@ -39,22 +39,36 @@ use constant THRESHOLD => 14; - use constant START => "a"; - - # some initial hash data --my %h2 = map {$_ => 1} 'a'..'cc'; -+my %h2; -+my $counter= "a"; -+$h2{$counter++}++ while $counter ne 'cd'; - - ok (!Internals::HvREHASH(%h2), - "starting with pre-populated non-pathological hash (rehash flag if off)"); - - my @keys = get_keys(\%h2); -+my $buckets= buckets(\%h2); - $h2{$_}++ for @keys; -+$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split - ok (Internals::HvREHASH(%h2), -- scalar(@keys) . " colliding into the same bucket keys are triggering rehash"); -+ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split"); -+ -+# returns the number of buckets in a hash -+sub buckets { -+ my $hr = shift; -+ my $keys_buckets= scalar(%$hr); -+ if ($keys_buckets=~m!/([0-9]+)\z!) { -+ return 0+$1; -+ } else { -+ return 8; -+ } -+} - - sub get_keys { - my $hr = shift; - - # the minimum of bits required to mount the attack on a hash - my $min_bits = log(THRESHOLD)/log(2); -- - # if the hash has already been populated with a significant amount - # of entries the number of mask bits can be higher - my $keys = scalar keys %$hr; --- -1.8.1.4 - diff --git a/perl.spec b/perl.spec index def0214..af7c5d2 100644 --- a/perl.spec +++ b/perl.spec @@ -1,4 +1,4 @@ -%global perl_version 5.16.2 +%global perl_version 5.16.3 %global perl_epoch 4 %global perl_arch_stem -thread-multi %global perl_archname %{_arch}-%{_os}%{perl_arch_stem} @@ -29,7 +29,7 @@ Name: perl Version: %{perl_version} # release number must be even higher, because dual-lived modules will be broken otherwise -Release: 260%{?dist} +Release: 261%{?dist} Epoch: %{perl_epoch} Summary: Practical Extraction and Report Language Group: Development/Languages @@ -41,7 +41,7 @@ Group: Development/Languages # Copyright Only: for example ext/Text-Soundex/Soundex.xs License: (GPL+ or Artistic) and (GPLv2+ or Artistic) and Copyright Only and MIT and Public Domain and UCD Url: http://www.perl.org/ -Source0: http://www.cpan.org/src/5.0/perl-%{perl_version}.tar.gz +Source0: http://www.cpan.org/src/5.0/perl-%{perl_version}.tar.bz2 Source2: perl-5.8.0-libnet.cfg Source3: macros.perl #Systemtap tapset and example that make use of systemtap-sdt-devel @@ -82,9 +82,6 @@ Patch9: perl-5.14.2-find2perl-transtate-question-mark-properly.patch # Fix broken atof, rhbz#835452, RT#109318 Patch10: perl-5.16.0-fix-broken-atof.patch -# Do not access freed memory when cloning thread, rhbz#825749, RT#111610 -Patch11: perl-5.16.1-perl-111610-Trouble-with-XS-APItest-t-clone-with-sta.patch - # Clear $@ before `do' I/O error, rhbz#834226, RT#113730 Patch13: perl-5.16.1-RT-113730-should-be-cleared-on-do-IO-error.patch @@ -115,9 +112,6 @@ Patch20: perl-5.17.6-Fix-misparsing-of-maketext-strings.patch # Add NAME heading into CPAN PODs, rhbz#908113, CPANRT#73396 Patch21: perl-5.16.2-cpan-CPAN-add-NAME-headings-in-modules-with-POD.patch -# Fix CVE-2013-1667, rhbz#918008 -Patch22: perl-5.16.2-CVE-2013-1667.patch - # Update some of the bundled modules # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions @@ -134,10 +128,11 @@ BuildRequires: procps, rsyslog # compat macro needed for rebuild -%global perl_compat perl(:MODULE_COMPAT_5.16.2) +%global perl_compat perl(:MODULE_COMPAT_5.16.3) # Compat provides Provides: %perl_compat +Provides: perl(:MODULE_COMPAT_5.16.2) Provides: perl(:MODULE_COMPAT_5.16.1) Provides: perl(:MODULE_COMPAT_5.16.0) @@ -567,7 +562,7 @@ Summary: Character encodings in Perl Group: Development/Libraries License: GPL+ or Artistic Epoch: 0 -Version: 2.44 +Version: 2.44.01 Requires: %perl_compat Conflicts: perl < 4:5.16.2-256 @@ -580,7 +575,7 @@ Summary: Character encodings in Perl Group: Development/Libraries License: GPL+ or Artistic Epoch: 0 -Version: 2.44 +Version: 2.44.01 Requires: %perl_compat Requires: %{name}-Encode = %{epoch}:%{version}-%{release} Requires: perl-devel @@ -945,7 +940,7 @@ Summary: Perl core modules indexed by perl versions Group: Development/Languages License: GPL+ or Artistic Epoch: 1 -Version: 2.70 +Version: 2.76.02 Requires: %perl_compat Requires: perl(version) BuildArch: noarch @@ -1576,7 +1571,6 @@ tarball from perl.org. %patch8 -p1 %patch9 -p1 %patch10 -p1 -%patch11 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 @@ -1586,7 +1580,6 @@ tarball from perl.org. %patch19 -p1 %patch20 -p1 %patch21 -p1 -%patch22 -p1 #copy the example script cp -a %{SOURCE5} . @@ -1789,7 +1782,6 @@ pushd %{build_archlib}/CORE/ 'Fedora Patch7: Dont run one io test due to random builder failures' \ 'Fedora Patch9: Fix find2perl to translate ? glob properly (RT#113054)' \ 'Fedora Patch10: Fix broken atof (RT#109318)' \ - 'Fedora Patch11: Do not access freed memory when cloning thread (RT#111610)' \ 'Fedora Patch13: Clear $@ before "do" I/O error (RT#113730)' \ 'Fedora Patch14: Do not truncate syscall() return value to 32 bits (RT#113980)' \ 'Fedora Patch15: Override the Pod::Simple::parse_file (CPANRT#77530)' \ @@ -1799,7 +1791,6 @@ pushd %{build_archlib}/CORE/ 'Fedora Patch19: Do not crash when vivifying $|' \ 'Fedora Patch20: Fix misparsing of maketext strings (CVE-2012-6329)' \ 'Fedora Patch21: Add NAME headings to CPAN modules (CPANRT#73396)' \ - 'Fedora Patch22: Fix DoS in rehashing code (CVE-2013-1667)' \ %{nil} rm patchlevel.bak @@ -3079,6 +3070,10 @@ sed \ # Old changelog entries are preserved in CVS. %changelog +* Thu Mar 14 2013 Petr Pisar - 4:5.16.3-261 +- 5.16.3 bump (see + for release notes) + * Tue Mar 05 2013 Petr Pisar - 4:5.16.2-260 - Fix CVE-2013-1667 (DoS in rehashing code) (bug #918008) diff --git a/sources b/sources index a36ca00..7e9afef 100644 --- a/sources +++ b/sources @@ -1,5 +1 @@ -aceea3db13a159cd5f7e5f2e3ad9534f perl-5.8.0-libdir64.patch -ad5d07285d6e4914384b43c9abc2bdba filter-requires.sh -1737a36154bb5bca781296794afc6791 perl.stp -df28fe2c574e8807d0a803308c545dca perl-example.stp -0e57f2d01d96471d9effc3fb43175e84 perl-5.16.2.tar.gz +025102de0e4a597cf541e57da80c6aa3 perl-5.16.3.tar.bz2