rpms
/
perl-Storable
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:main-riscv64
rpms:f40
rpms:main
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:f34
rpms:f33
rpms:f32
rpms:f29
rpms:f30
rpms:f31
rpms:f28
rpms:f27
rpms:f24
rpms:f25
rpms:f26
rpms:f23
rpms:f22
rpms:f21
rpms:f20
...
pull from: rpms:f25
Branches Tags
rpms:main-riscv64
rpms:f40
rpms:main
rpms:rawhide
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:f34
rpms:f33
rpms:f32
rpms:f29
rpms:f30
rpms:f31
rpms:f28
rpms:f27
rpms:f24
rpms:f25
rpms:f26
rpms:f23
rpms:f22
rpms:f21
rpms:f20

5 Commits
rawhide ... f25

Author SHA1 Message Date
Petr Písař 34bbba5f47 Fix a memory leak of a class name from retrieve_hook() on an exception 2017-02-06 15:31:01 +01:00
Petr Písař efed0787c5 Fix a stack buffer overflow in deserialization of hooks 2017-02-06 15:31:01 +01:00
Petr Písař e7c2f0067d Specify all dependencies 2016-12-20 13:34:25 +01:00
Petr Písař 036fc45229 Fix crash in Storable when deserializing malformed code reference 2016-12-20 13:34:25 +01:00
Jitka Plesnikova 0b98b2693b Avoid loading optional modules from default . (CVE-2016-1238) 2016-08-03 13:01:38 +02:00
5 changed files with 297 additions and 3 deletions
Show Stats Expand all files Collapse all files

18
Storable-2.56-CVE-2016-1238-avoid-loading-optional-modules-from.patch Normal file
View File

@ -0,0 +1,18 @@
diff -up Storable/Storable.pm.cve Storable/Storable.pm
--- Storable/Storable.pm.cve 2016-03-19 19:50:47.000000000 +0100
+++ Storable/Storable.pm 2016-08-03 12:48:36.415082280 +0200
@@ -25,7 +25,13 @@ use vars qw($canonical $forgive_me $VERS
$VERSION = '2.56';
BEGIN {
- if (eval { local $SIG{__DIE__}; require Log::Agent; 1 }) {
+ if (eval {
+ local $SIG{__DIE__};
+ local @INC = @INC;
+ pop @INC if $INC[-1] eq '.';
+ require Log::Agent;
+ 1;
+ }) {
Log::Agent->import;
}
#

103
Storable-2.56-Fix-stack-buffer-overflow-in-deserialization-of-hook.patch Normal file
View File

@ -0,0 +1,103 @@
From c34e1dd29983e5d36d367462b9b4b4b8fcd5a0f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 6 Feb 2017 15:13:41 +0100
Subject: [PATCH] Fix stack buffer overflow in deserialization of hooks.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ported from perl:
commit 3e998ddfb597cfae7bdb460b22e6c50440b1de92
Author: John Lightsey <jd@cpanel.net>
Date: Tue Jan 24 10:30:18 2017 -0600
Fix stack buffer overflow in deserialization of hooks.
The use of signed lengths resulted in a stack overflow in retrieve_hook()
when a negative length was provided in the storable data.
The retrieve_blessed() codepath had a similar problem with the placement
of the trailing null byte when negative lengths were provided.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
Storable.xs | 11 +++++++++--
t/store.t | 12 +++++++++++-
2 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/Storable.xs b/Storable.xs
index bc15d1d..3cce3ed 100644
--- a/Storable.xs
+++ b/Storable.xs
@@ -4016,7 +4016,7 @@ static SV *retrieve_idx_blessed(pTHX_ stcxt_t *cxt, const char *cname)
*/
static SV *retrieve_blessed(pTHX_ stcxt_t *cxt, const char *cname)
{
- I32 len;
+ U32 len;
SV *sv;
char buf[LG_BLESS + 1]; /* Avoid malloc() if possible */
char *classname = buf;
@@ -4037,6 +4037,9 @@ static SV *retrieve_blessed(pTHX_ stcxt_t *cxt, const char *cname)
if (len & 0x80) {
RLEN(len);
TRACEME(("** allocating %d bytes for class name", len+1));
+ if (len > I32_MAX) {
+ CROAK(("Corrupted classname length"));
+ }
New(10003, classname, len+1, char);
malloced_classname = classname;
}
@@ -4087,7 +4090,7 @@ static SV *retrieve_blessed(pTHX_ stcxt_t *cxt, const char *cname)
*/
static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
{
- I32 len;
+ U32 len;
char buf[LG_BLESS + 1]; /* Avoid malloc() if possible */
char *classname = buf;
unsigned int flags;
@@ -4221,6 +4224,10 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
else
GETMARK(len);
+ if (len > I32_MAX) {
+ CROAK(("Corrupted classname length"));
+ }
+
if (len > LG_BLESS) {
TRACEME(("** allocating %d bytes for class name", len+1));
New(10003, classname, len+1, char);
diff --git a/t/store.t b/t/store.t
index be43299..1cbf021 100644
--- a/t/store.t
+++ b/t/store.t
@@ -19,7 +19,7 @@ sub BEGIN {
use Storable qw(store retrieve store_fd nstore_fd fd_retrieve);
-use Test::More tests => 21;
+use Test::More tests => 22;
$a = 'toto';
$b = \$a;
@@ -87,5 +87,15 @@ is(&dump($r), &dump(\%a));
eval { $r = fd_retrieve(::OUT); };
isnt($@, '');
+{
+
+ my $frozen =
+ "\x70\x73\x74\x30\x04\x0a\x08\x31\x32\x33\x34\x35\x36\x37\x38\x04\x08\x08\x08\x03\xff\x00\x00\x00\x19\x08\xff\x00\x00\x00\x08\x08\xf9\x16\x16\x13\x16\x10\x10\x10\xff\x15\x16\x16\x16\x1e\x16\x16\x16\x16\x16\x16\x16\x16\x16\x16\x13\xf0\x16\x16\x16\xfe\x16\x41\x41\x41\x41\xe8\x03\x41\x41\x41\x41\x41\x41\x41\x41\x51\x41\xa9\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xb8\xac\xac\xac\xac\xac\xac\xac\xac\x9a\xac\xac\xac\xac\xac\xac\xac\xac\xac\x93\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\x00\x64\xac\xa8\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\xac\x2c\xac\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x80\x41\x80\x41\x41\x41\x41\x41\x41\x51\x41\xac\xac\xac";
+ open my $fh, '<', \$frozen;
+ eval { Storable::fd_retrieve($fh); };
+ pass('RT 130635: no stack smashing error when retrieving hook');
+
+}
+
close OUT or die "Could not close: $!";
END { 1 while unlink 'store' }
--
2.7.4

81
Storable-2.56-prevent-leak-of-class-name-from-retrieve_hook-on-an-.patch Normal file
View File

@ -0,0 +1,81 @@
From 979ae704ddc9e6f19d8dbf7a83bea155065ef3cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Mon, 6 Feb 2017 15:26:09 +0100
Subject: [PATCH] prevent leak of class name from retrieve_hook() on an
exception
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ported from perl:
commit da1ec2b1b9abdfd956d9c539abf39d908d046304
Author: Tony Cook <tony@develop-help.com>
Date: Mon Feb 6 11:38:10 2017 +1100
prevent leak of class name from retrieve_hook() on an exception
If supplied with a large class name, retrieve_hook() allocates
buffer for the class name and Safefree()s it on exit path.
Unfortunately this memory leaks if load_module() (or a couple of other
code paths) throw an exception.
So use SAVEFREEPV() to release the memory instead.
==20183== 193 bytes in 1 blocks are definitely lost in loss record 4 of 6
==20183== at 0x4C28C20: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20183== by 0x55F85D: Perl_safesysmalloc (util.c:153)
==20183== by 0x6ACA046: retrieve_hook (Storable.xs:4265)
==20183== by 0x6AD6D19: retrieve (Storable.xs:6217)
==20183== by 0x6AD8144: do_retrieve (Storable.xs:6401)
==20183== by 0x6AD85B7: pretrieve (Storable.xs:6506)
==20183== by 0x6AD8E14: XS_Storable_pretrieve (Storable.xs:6718)
==20183== by 0x5C176D: Perl_pp_entersub (pp_hot.c:4227)
==20183== by 0x55E1C6: Perl_runops_debug (dump.c:2450)
==20183== by 0x461B79: S_run_body (perl.c:2528)
==20183== by 0x46115C: perl_run (perl.c:2451)
==20183== by 0x41F1CD: main (perlmain.c:123)
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
Storable.xs | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/Storable.xs b/Storable.xs
index 3cce3ed..75ce3df 100644
--- a/Storable.xs
+++ b/Storable.xs
@@ -4249,6 +4249,11 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
TRACEME(("class name: %s", classname));
+ if (!(flags & SHF_IDX_CLASSNAME) && classname != buf) {
+ /* some execution paths can throw an exception */
+ SAVEFREEPV(classname);
+ }
+
/*
* Decode user-frozen string length and read it in an SV.
*
@@ -4367,8 +4372,6 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
SEEN0(sv, 0);
SvRV_set(attached, NULL);
SvREFCNT_dec(attached);
- if (!(flags & SHF_IDX_CLASSNAME) && classname != buf)
- Safefree(classname);
return sv;
}
CROAK(("STORABLE_attach did not return a %s object", classname));
@@ -4449,8 +4452,6 @@ static SV *retrieve_hook(pTHX_ stcxt_t *cxt, const char *cname)
SvREFCNT_dec(frozen);
av_undef(av);
sv_free((SV *) av);
- if (!(flags & SHF_IDX_CLASSNAME) && classname != buf)
- Safefree(classname);
/*
* If we had an <extra> type, then the object was not as simple, and
--
2.7.4

61
perl-5.25.7-Fix-Storable-segfaults.patch Normal file
View File

@ -0,0 +1,61 @@
From fecd3be8dbdb747b9cbf4cbb9299ce40faabc8e6 Mon Sep 17 00:00:00 2001
From: John Lightsey <lightsey@debian.org>
Date: Mon, 14 Nov 2016 11:56:15 +0100
Subject: [PATCH] Fix Storable segfaults.
Fix a null pointed dereference segfault in storable when the
retrieve_code logic was unable to read the string that contained
the code.
Also fix several locations where retrieve_other was called with a
null context pointer. This also resulted in a null pointer
dereference.
---
dist/Storable/Storable.xs | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/dist/Storable/Storable.xs b/dist/Storable/Storable.xs
index 053951c..caa489c 100644
--- a/dist/Storable/Storable.xs
+++ b/dist/Storable/Storable.xs
@@ -5647,6 +5647,10 @@ static SV *retrieve_code(pTHX_ stcxt_t *cxt, const char *cname)
CROAK(("Unexpected type %d in retrieve_code\n", type));
}
+ if (!text) {
+ CROAK(("Unable to retrieve code\n"));
+ }
+
/*
* prepend "sub " to the source
*/
@@ -5767,7 +5771,7 @@ static SV *old_retrieve_array(pTHX_ stcxt_t *cxt, const char *cname)
continue; /* av_extend() already filled us with undef */
}
if (c != SX_ITEM)
- (void) retrieve_other(aTHX_ (stcxt_t *) 0, 0); /* Will croak out */
+ (void) retrieve_other(aTHX_ cxt, 0); /* Will croak out */
TRACEME(("(#%d) item", i));
sv = retrieve(aTHX_ cxt, 0); /* Retrieve item */
if (!sv)
@@ -5844,7 +5848,7 @@ static SV *old_retrieve_hash(pTHX_ stcxt_t *cxt, const char *cname)
if (!sv)
return (SV *) 0;
} else
- (void) retrieve_other(aTHX_ (stcxt_t *) 0, 0); /* Will croak out */
+ (void) retrieve_other(aTHX_ cxt, 0); /* Will croak out */
/*
* Get key.
@@ -5855,7 +5859,7 @@ static SV *old_retrieve_hash(pTHX_ stcxt_t *cxt, const char *cname)
GETMARK(c);
if (c != SX_KEY)
- (void) retrieve_other(aTHX_ (stcxt_t *) 0, 0); /* Will croak out */
+ (void) retrieve_other(aTHX_ cxt, 0); /* Will croak out */
RLEN(size); /* Get key size */
KBUFCHK((STRLEN)size); /* Grow hash key read pool if needed */
if (size)
--
2.10.2

37
perl-Storable.spec
View File

@ -3,7 +3,7 @@
Name: perl-Storable
Epoch: 1
Version: 2.56
Release: 365%{?dist}
Release: 368%{?dist}
Summary: Persistence for Perl data structures
License: GPL+ or Artistic
Group: Development/Libraries
@ -13,11 +13,26 @@ Source0: http://www.cpan.org/authors/id/A/AM/AMS/Storable-%{base_version}
Patch0: Storable-2.51-Upgrade-to-2.53.patch
# Unbundled from perl 5.24.0
Patch1: Storable-2.53-Upgrade-to-2.56.patch
# Avoid loading optional modules from default . (CVE-2016-1238)
Patch2: Storable-2.56-CVE-2016-1238-avoid-loading-optional-modules-from.patch
# Fix crash in Storable when deserializing malformed code reference, RT#68348,
# RT130098
Patch3: perl-5.25.7-Fix-Storable-segfaults.patch
# Fix a stack buffer overflow in deserialization of hooks, RT#130635,
# fixed in perl after 5.25.9
Patch4: Storable-2.56-Fix-stack-buffer-overflow-in-deserialization-of-hook.patch
# Fix a memory leak of a class name from retrieve_hook() on an exception,
# RT#130635, fixed in perl after 5.25.9
Patch5: Storable-2.56-prevent-leak-of-class-name-from-retrieve_hook-on-an-.patch
BuildRequires: coreutils
BuildRequires: gcc
BuildRequires: make
BuildRequires: perl
BuildRequires: perl-devel
BuildRequires: perl-generators
BuildRequires: perl(Config)
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: sed
# Run-time:
# Carp substitutes missing Log::Agent
BuildRequires: perl(Carp)
@ -66,6 +81,10 @@ can be conveniently stored to disk and retrieved at a later time.
%setup -q -n Storable-%{base_version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p3
%patch4 -p1
%patch5 -p1
# Remove bundled modules
rm -rf t/compat
sed -i -e '/^t\/compat\//d' MANIFEST
@ -78,8 +97,8 @@ make %{?_smp_mflags}
%install
make pure_install DESTDIR=$RPM_BUILD_ROOT
find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} \;
find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -exec rm -f {} \;
find $RPM_BUILD_ROOT -type f -name .packlist -delete
find $RPM_BUILD_ROOT -type f -name '*.bs' -size 0 -delete
%{_fixperms} $RPM_BUILD_ROOT/*
%check
@ -92,6 +111,18 @@ make test
%{_mandir}/man3/*
%changelog
* Mon Feb 06 2017 Petr Pisar <ppisar@redhat.com> - 1:2.56-368
- Fix a stack buffer overflow in deserialization of hooks (RT#130635)
- Fix a memory leak of a class name from retrieve_hook() on an exception
(RT#130635)
* Tue Dec 20 2016 Petr Pisar <ppisar@redhat.com> - 1:2.56-367
- Fix crash in Storable when deserializing malformed code reference
(RT#68348, RT#130098)
* Wed Aug 03 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.56-366
- Avoid loading optional modules from default . (CVE-2016-1238)
* Sat May 14 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1:2.56-365
- Increase release to favour standalone package