Compare commits
5 Commits
Author | SHA1 | Date |
---|---|---|
Petr Písař | de6be24727 | |
Petr Písař | 88362366e5 | |
Petr Písař | d186884b5d | |
Petr Písař | e0832acf79 | |
Jitka Plesnikova | 5d91b72451 |
|
@ -0,0 +1,18 @@
|
|||
diff -up Storable/Storable.pm.cve Storable/Storable.pm
|
||||
--- Storable/Storable.pm.cve 2016-03-19 19:50:47.000000000 +0100
|
||||
+++ Storable/Storable.pm 2016-08-03 12:48:36.415082280 +0200
|
||||
@@ -25,7 +25,13 @@ use vars qw($canonical $forgive_me $VERS
|
||||
$VERSION = '2.53';
|
||||
|
||||
BEGIN {
|
||||
- if (eval { local $SIG{__DIE__}; require Log::Agent; 1 }) {
|
||||
+ if (eval {
|
||||
+ local $SIG{__DIE__};
|
||||
+ local @INC = @INC;
|
||||
+ pop @INC if $INC[-1] eq '.';
|
||||
+ require Log::Agent;
|
||||
+ 1;
|
||||
+ }) {
|
||||
Log::Agent->import;
|
||||
}
|
||||
#
|
|
@ -0,0 +1,103 @@
|
|||
From c34e1dd29983e5d36d367462b9b4b4b8fcd5a0f8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Mon, 6 Feb 2017 15:13:41 +0100
|
||||
Subject: [PATCH] Fix stack buffer overflow in deserialization of hooks.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Ported from perl:
|
||||
|
||||
commit 3e998ddfb597cfae7bdb460b22e6c50440b1de92
|
||||
Author: John Lightsey <jd@cpanel.net>
|
||||
Date: Tue Jan 24 10:30:18 2017 -0600
|
||||
|
||||
Fix stack buffer overflow in deserialization of hooks.
|
||||
|
||||
The use of signed lengths resulted in a stack overflow in retrieve_hook()
|
||||
when a negative length was provided in the storable data.
|
||||
|
||||
The retrieve_blessed() codepath had a similar problem with the placement
|
||||
of the trailing null byte when negative lengths were provided.
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
Storable.xs | 11 +++++++++--
|
||||
t/store.t | 12 +++++++++++-
|
||||
2 files changed, 20 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/Storable.xs b/Storable.xs
|
||||
index bc15d1d..3cce3ed 100644
|
||||
--- a/Storable.xs
|
||||
+++ b/Storable.xs
|
||||
@@ -4016,7 +4016,7 @@ static SV *retrieve_idx_blessed(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
*/
|
||||
static SV *retrieve_blessed(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
{
|
||||
- I32 len;
|
||||
+ U32 len;
|
||||
SV *sv;
|
||||
char buf[LG_BLESS + 1]; /* Avoid malloc() if possible */
|
||||
char *classname = buf;
|
||||
@@ -4037,6 +4037,9 @@ static SV *retrieve_blessed(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
if (len & 0x80) {
|
||||
RLEN(len);
|
||||
TRACEME(("** allocating %d bytes for class name", len+1));
|
||||
+ if (len > I32_MAX) {
|
||||
+ CROAK(("Corrupted classname length"));
|
||||
+ }
|
||||
New(10003, classname, len+1, char);
|
||||
malloced_classname = classname;
|
||||
}
|
||||
@@ -4087,7 +4090,7 @@ static SV *retrieve_blessed(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
*/
|
||||
static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
{
|
||||
- I32 len;
|
||||
+ U32 len;
|
||||
char buf[LG_BLESS + 1]; /* Avoid malloc() if possible */
|
||||
char *classname = buf;
|
||||
unsigned int flags;
|
||||
@@ -4221,6 +4224,10 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
else
|
||||
GETMARK(len);
|
||||
|
||||
+ if (len > I32_MAX) {
|
||||
+ CROAK(("Corrupted classname length"));
|
||||
+ }
|
||||
+
|
||||
if (len > LG_BLESS) {
|
||||
TRACEME(("** allocating %d bytes for class name", len+1));
|
||||
New(10003, classname, len+1, char);
|
||||
diff --git a/t/store.t b/t/store.t
|
||||
index be43299..1cbf021 100644
|
||||
--- a/t/store.t
|
||||
+++ b/t/store.t
|
||||
@@ -19,7 +19,7 @@ sub BEGIN {
|
||||
|
||||
use Storable qw(store retrieve store_fd nstore_fd fd_retrieve);
|
||||
|
||||
-use Test::More tests => 21;
|
||||
+use Test::More tests => 22;
|
||||
|
||||
$a = 'toto';
|
||||
$b = \$a;
|
||||
@@ -87,5 +87,15 @@ is(&dump($r), &dump(\%a));
|
||||
eval { $r = fd_retrieve(::OUT); };
|
||||
isnt($@, '');
|
||||
|
||||
+{
|
||||
+
|
||||
+ my $frozen =
|
||||
+ "\x70\x73\x74\x30\x04\x0a\x08\x31\x32\x33\x34\x35\x36\x37\x38\x04\x08\x08\x08\x03\xff\x00\x00\x00\x19\x08\xff\x00\x00\x00\x08\x08\xf9\x16\x16\x13\x16\x10\x10\x10\xff\x15\x16\x16\x16\x1e\x16\x16\x16\x16\x16\x16\x16\x16\x16\x16\x13\xf0\x16\x16\x16\xfe\x16\x41\x41\x41\x41\xe8\x03\x41\x41\x41\x41\x41\x41\x41\x41\x51\x41\xa9\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xb8\xac\xac\xac\xac\xac\xac\xac\xac\x9a\xac\xac\xac\xac\xac\xac\xac\xac\xac\x93\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\x00\x64\xac\xa8\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\x2c\xac\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x80\x41\x80\x41\x41\x41\x41\x41\x41\x51\x41\xac\xac\xac";
|
||||
+ open my $fh, '<', \$frozen;
|
||||
+ eval { Storable::fd_retrieve($fh); };
|
||||
+ pass('RT 130635: no stack smashing error when retrieving hook');
|
||||
+
|
||||
+}
|
||||
+
|
||||
close OUT or die "Could not close: $!";
|
||||
END { 1 while unlink 'store' }
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -0,0 +1,81 @@
|
|||
From 979ae704ddc9e6f19d8dbf7a83bea155065ef3cc Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Mon, 6 Feb 2017 15:26:09 +0100
|
||||
Subject: [PATCH] prevent leak of class name from retrieve_hook() on an
|
||||
exception
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Ported from perl:
|
||||
|
||||
commit da1ec2b1b9abdfd956d9c539abf39d908d046304
|
||||
Author: Tony Cook <tony@develop-help.com>
|
||||
Date: Mon Feb 6 11:38:10 2017 +1100
|
||||
|
||||
prevent leak of class name from retrieve_hook() on an exception
|
||||
|
||||
If supplied with a large class name, retrieve_hook() allocates
|
||||
buffer for the class name and Safefree()s it on exit path.
|
||||
|
||||
Unfortunately this memory leaks if load_module() (or a couple of other
|
||||
code paths) throw an exception.
|
||||
|
||||
So use SAVEFREEPV() to release the memory instead.
|
||||
|
||||
==20183== 193 bytes in 1 blocks are definitely lost in loss record 4 of 6
|
||||
==20183== at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
|
||||
==20183== by 0x55F85D: Perl_safesysmalloc (util.c:153)
|
||||
==20183== by 0x6ACA046: retrieve_hook (Storable.xs:4265)
|
||||
==20183== by 0x6AD6D19: retrieve (Storable.xs:6217)
|
||||
==20183== by 0x6AD8144: do_retrieve (Storable.xs:6401)
|
||||
==20183== by 0x6AD85B7: pretrieve (Storable.xs:6506)
|
||||
==20183== by 0x6AD8E14: XS_Storable_pretrieve (Storable.xs:6718)
|
||||
==20183== by 0x5C176D: Perl_pp_entersub (pp_hot.c:4227)
|
||||
==20183== by 0x55E1C6: Perl_runops_debug (dump.c:2450)
|
||||
==20183== by 0x461B79: S_run_body (perl.c:2528)
|
||||
==20183== by 0x46115C: perl_run (perl.c:2451)
|
||||
==20183== by 0x41F1CD: main (perlmain.c:123)
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
Storable.xs | 9 +++++----
|
||||
1 file changed, 5 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/Storable.xs b/Storable.xs
|
||||
index 3cce3ed..75ce3df 100644
|
||||
--- a/Storable.xs
|
||||
+++ b/Storable.xs
|
||||
@@ -4249,6 +4249,11 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
|
||||
TRACEME(("class name: %s", classname));
|
||||
|
||||
+ if (!(flags & SHF_IDX_CLASSNAME) && classname != buf) {
|
||||
+ /* some execution paths can throw an exception */
|
||||
+ SAVEFREEPV(classname);
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Decode user-frozen string length and read it in an SV.
|
||||
*
|
||||
@@ -4367,8 +4372,6 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
SEEN0(sv, 0);
|
||||
SvRV_set(attached, NULL);
|
||||
SvREFCNT_dec(attached);
|
||||
- if (!(flags & SHF_IDX_CLASSNAME) && classname != buf)
|
||||
- Safefree(classname);
|
||||
return sv;
|
||||
}
|
||||
CROAK(("STORABLE_attach did not return a %s object", classname));
|
||||
@@ -4449,8 +4452,6 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
SvREFCNT_dec(frozen);
|
||||
av_undef(av);
|
||||
sv_free((SV *) av);
|
||||
- if (!(flags & SHF_IDX_CLASSNAME) && classname != buf)
|
||||
- Safefree(classname);
|
||||
|
||||
/*
|
||||
* If we had an <extra> type, then the object was not as simple, and
|
||||
--
|
||||
2.7.4
|
||||
|
|
@ -0,0 +1,61 @@
|
|||
From fecd3be8dbdb747b9cbf4cbb9299ce40faabc8e6 Mon Sep 17 00:00:00 2001
|
||||
From: John Lightsey <lightsey@debian.org>
|
||||
Date: Mon, 14 Nov 2016 11:56:15 +0100
|
||||
Subject: [PATCH] Fix Storable segfaults.
|
||||
|
||||
Fix a null pointed dereference segfault in storable when the
|
||||
retrieve_code logic was unable to read the string that contained
|
||||
the code.
|
||||
|
||||
Also fix several locations where retrieve_other was called with a
|
||||
null context pointer. This also resulted in a null pointer
|
||||
dereference.
|
||||
---
|
||||
dist/Storable/Storable.xs | 10 +++++++---
|
||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
|
||||
index 053951c..caa489c 100644
|
||||
--- a/dist/Storable/Storable.xs
|
||||
+++ b/dist/Storable/Storable.xs
|
||||
@@ -5647,6 +5647,10 @@ static SV *retrieve_code(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
CROAK(("Unexpected type %d in retrieve_code\n", type));
|
||||
}
|
||||
|
||||
+ if (!text) {
|
||||
+ CROAK(("Unable to retrieve code\n"));
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* prepend "sub " to the source
|
||||
*/
|
||||
@@ -5767,7 +5771,7 @@ static SV *old_retrieve_array(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
continue; /* av_extend() already filled us with undef */
|
||||
}
|
||||
if (c != SX_ITEM)
|
||||
- (void) retrieve_other(aTHX_ (stcxt_t *) 0, 0); /* Will croak out */
|
||||
+ (void) retrieve_other(aTHX_ cxt, 0); /* Will croak out */
|
||||
TRACEME(("(#%d) item", i));
|
||||
sv = retrieve(aTHX_ cxt, 0); /* Retrieve item */
|
||||
if (!sv)
|
||||
@@ -5844,7 +5848,7 @@ static SV *old_retrieve_hash(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
if (!sv)
|
||||
return (SV *) 0;
|
||||
} else
|
||||
- (void) retrieve_other(aTHX_ (stcxt_t *) 0, 0); /* Will croak out */
|
||||
+ (void) retrieve_other(aTHX_ cxt, 0); /* Will croak out */
|
||||
|
||||
/*
|
||||
* Get key.
|
||||
@@ -5855,7 +5859,7 @@ static SV *old_retrieve_hash(pTHX_ stcxt_t *cxt, const char *cname)
|
||||
|
||||
GETMARK(c);
|
||||
if (c != SX_KEY)
|
||||
- (void) retrieve_other(aTHX_ (stcxt_t *) 0, 0); /* Will croak out */
|
||||
+ (void) retrieve_other(aTHX_ cxt, 0); /* Will croak out */
|
||||
RLEN(size); /* Get key size */
|
||||
KBUFCHK((STRLEN)size); /* Grow hash key read pool if needed */
|
||||
if (size)
|
||||
--
|
||||
2.10.2
|
||||
|
|
@ -3,7 +3,7 @@
|
|||
Name: perl-Storable
|
||||
Epoch: 1
|
||||
Version: 2.53
|
||||
Release: 347%{?dist}
|
||||
Release: 350%{?dist}
|
||||
Summary: Persistence for Perl data structures
|
||||
License: GPL+ or Artistic
|
||||
Group: Development/Libraries
|
||||
|
@ -11,9 +11,24 @@ URL: http://search.cpan.org/dist/Storable/
|
|||
Source0: http://www.cpan.org/authors/id/A/AM/AMS/Storable-%{base_version}.tar.gz
|
||||
# Unbundled form perl 5.21.11
|
||||
Patch0: Storable-2.51-Upgrade-to-2.53.patch
|
||||
# Avoid loading optional modules from default . (CVE-2016-1238)
|
||||
Patch1: Storable-2.53-CVE-2016-1238-avoid-loading-optional-modules-from.patch
|
||||
# Fix crash in Storable when deserializing malformed code reference, RT#68348,
|
||||
# RT130098
|
||||
Patch2: perl-5.25.7-Fix-Storable-segfaults.patch
|
||||
# Fix a stack buffer overflow in deserialization of hooks, RT#130635,
|
||||
# fixed in perl after 5.25.9
|
||||
Patch3: Storable-2.56-Fix-stack-buffer-overflow-in-deserialization-of-hook.patch
|
||||
# Fix a memory leak of a class name from retrieve_hook() on an exception,
|
||||
# RT#130635, fixed in perl after 5.25.9
|
||||
Patch4: Storable-2.56-prevent-leak-of-class-name-from-retrieve_hook-on-an-.patch
|
||||
BuildRequires: coreutils
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
BuildRequires: perl
|
||||
BuildRequires: perl(Config)
|
||||
BuildRequires: perl(ExtUtils::MakeMaker)
|
||||
BuildRequires: sed
|
||||
# Run-time:
|
||||
# Carp substitutes missing Log::Agent
|
||||
BuildRequires: perl(Carp)
|
||||
|
@ -61,6 +76,10 @@ can be conveniently stored to disk and retrieved at a later time.
|
|||
%prep
|
||||
%setup -q -n Storable-%{base_version}
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p3
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
# Remove bundled modules
|
||||
rm -rf t/compat
|
||||
sed -i -e '/^t\/compat\//d' MANIFEST
|
||||
|
@ -73,8 +92,8 @@ make %{?_smp_mflags}
|
|||
|
||||
%install
|
||||
make pure_install DESTDIR=$RPM_BUILD_ROOT
|
||||
find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} \;
|
||||
find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -exec rm -f {} \;
|
||||
find $RPM_BUILD_ROOT -type f -name .packlist -delete
|
||||
find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -delete
|
||||
%{_fixperms} $RPM_BUILD_ROOT/*
|
||||
|
||||
%check
|
||||
|
@ -87,6 +106,18 @@ make test
|
|||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Mon Feb 06 2017 Petr Pisar <ppisar@redhat.com> - 1:2.53-350
|
||||
- Fix a stack buffer overflow in deserialization of hooks (RT#130635)
|
||||
- Fix a memory leak of a class name from retrieve_hook() on an exception
|
||||
(RT#130635)
|
||||
|
||||
* Tue Dec 20 2016 Petr Pisar <ppisar@redhat.com> - 1:2.53-349
|
||||
- Fix crash in Storable when deserializing malformed code reference
|
||||
(RT#68348, RT#130098)
|
||||
|
||||
* Wed Aug 03 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.53-348
|
||||
- Avoid loading optional modules from default . (CVE-2016-1238)
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.53-347
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
|
|
Loading…
Reference in New Issue