From 2d6c9c3a895efea6531cee45a66ab5fca151f4a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Tue, 20 Dec 2016 13:24:36 +0100 Subject: [PATCH] Fix crash in Storable when deserializing malformed code reference --- perl-5.25.7-Fix-Storable-segfaults.patch | 61 ++++++++++++++++++++++++ perl-Storable.spec | 10 +++- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 perl-5.25.7-Fix-Storable-segfaults.patch diff --git a/perl-5.25.7-Fix-Storable-segfaults.patch b/perl-5.25.7-Fix-Storable-segfaults.patch new file mode 100644 index 0000000..8934a13 --- /dev/null +++ b/perl-5.25.7-Fix-Storable-segfaults.patch @@ -0,0 +1,61 @@ +From fecd3be8dbdb747b9cbf4cbb9299ce40faabc8e6 Mon Sep 17 00:00:00 2001 +From: John Lightsey +Date: Mon, 14 Nov 2016 11:56:15 +0100 +Subject: [PATCH] Fix Storable segfaults. + +Fix a null pointed dereference segfault in storable when the +retrieve_code logic was unable to read the string that contained +the code. + +Also fix several locations where retrieve_other was called with a +null context pointer. This also resulted in a null pointer +dereference. +--- + dist/Storable/Storable.xs | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs +index 053951c..caa489c 100644 +--- a/dist/Storable/Storable.xs ++++ b/dist/Storable/Storable.xs +@@ -5647,6 +5647,10 @@ static SV *retrieve_code(pTHX_ stcxt_t *cxt, const char *cname) + CROAK(("Unexpected type %d in retrieve_code\n", type)); + } + ++ if (!text) { ++ CROAK(("Unable to retrieve code\n")); ++ } ++ + /* + * prepend "sub " to the source + */ +@@ -5767,7 +5771,7 @@ static SV *old_retrieve_array(pTHX_ stcxt_t *cxt, const char *cname) + continue; /* av_extend() already filled us with undef */ + } + if (c != SX_ITEM) +- (void) retrieve_other(aTHX_ (stcxt_t *) 0, 0); /* Will croak out */ ++ (void) retrieve_other(aTHX_ cxt, 0); /* Will croak out */ + TRACEME(("(#%d) item", i)); + sv = retrieve(aTHX_ cxt, 0); /* Retrieve item */ + if (!sv) +@@ -5844,7 +5848,7 @@ static SV *old_retrieve_hash(pTHX_ stcxt_t *cxt, const char *cname) + if (!sv) + return (SV *) 0; + } else +- (void) retrieve_other(aTHX_ (stcxt_t *) 0, 0); /* Will croak out */ ++ (void) retrieve_other(aTHX_ cxt, 0); /* Will croak out */ + + /* + * Get key. +@@ -5855,7 +5859,7 @@ static SV *old_retrieve_hash(pTHX_ stcxt_t *cxt, const char *cname) + + GETMARK(c); + if (c != SX_KEY) +- (void) retrieve_other(aTHX_ (stcxt_t *) 0, 0); /* Will croak out */ ++ (void) retrieve_other(aTHX_ cxt, 0); /* Will croak out */ + RLEN(size); /* Get key size */ + KBUFCHK((STRLEN)size); /* Grow hash key read pool if needed */ + if (size) +-- +2.10.2 + diff --git a/perl-Storable.spec b/perl-Storable.spec index c9de181..3574085 100644 --- a/perl-Storable.spec +++ b/perl-Storable.spec @@ -3,7 +3,7 @@ Name: perl-Storable Epoch: 1 Version: 2.56 -Release: 366%{?dist} +Release: 367%{?dist} Summary: Persistence for Perl data structures License: GPL+ or Artistic Group: Development/Libraries @@ -15,6 +15,9 @@ Patch0: Storable-2.51-Upgrade-to-2.53.patch Patch1: Storable-2.53-Upgrade-to-2.56.patch # Avoid loading optional modules from default . (CVE-2016-1238) Patch2: Storable-2.56-CVE-2016-1238-avoid-loading-optional-modules-from.patch +# Fix crash in Storable when deserializing malformed code reference, RT#68348, +# RT130098 +Patch3: perl-5.25.7-Fix-Storable-segfaults.patch BuildRequires: perl BuildRequires: perl-devel BuildRequires: perl-generators @@ -69,6 +72,7 @@ can be conveniently stored to disk and retrieved at a later time. %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p3 # Remove bundled modules rm -rf t/compat sed -i -e '/^t\/compat\//d' MANIFEST @@ -95,6 +99,10 @@ make test %{_mandir}/man3/* %changelog +* Tue Dec 20 2016 Petr Pisar - 1:2.56-367 +- Fix crash in Storable when deserializing malformed code reference + (RT#68348, RT#130098) + * Wed Aug 03 2016 Jitka Plesnikova - 1:2.56-366 - Avoid loading optional modules from default . (CVE-2016-1238)