[OE-core] [PATCH V3 1/2] perl: fix CVE-2017-12883

Hongxu Jia hongxu.jia at windriver.com
Tue Oct 17 07:01:51 UTC 2017


The cause of this is that the vFAIL macro uses RExC_parse, and that
variable has just been changed in preparation for code after the vFAIL.
The solution is to not change RExC_parse until after the vFAIL.

This is a case where the macro hides stuff that can bite you.

https://perl5.git.perl.org/perl.git/commit/2be4edede4ae226e2eebd4eff28cedd2041f300f

Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
---
 .../perl/perl/perl-fix-CVE-2017-12883.patch        | 52 ++++++++++++++++++++++
 meta/recipes-devtools/perl/perl_5.24.1.bb          |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/perl/perl-fix-CVE-2017-12883.patch

diff --git a/meta/recipes-devtools/perl/perl/perl-fix-CVE-2017-12883.patch b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2017-12883.patch
new file mode 100644
index 0000000..d21ba5a
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/perl-fix-CVE-2017-12883.patch
@@ -0,0 +1,52 @@
+From a2b6b82e5eea300a33f148ee5201373726f9f26c Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw at cpan.org>
+Date: Tue, 17 Oct 2017 13:36:05 +0800
+Subject: [PATCH] fix CVE-2017-12883
+
+PATCH: [perl #131598]
+
+The cause of this is that the vFAIL macro uses RExC_parse, and that
+variable has just been changed in preparation for code after the vFAIL.
+The solution is to not change RExC_parse until after the vFAIL.
+
+This is a case where the macro hides stuff that can bite you.
+
+Signed-off-by: Karl Williamson <khw at cpan.org>
+Signed-off-by: Steve Hay <steve.m.hay at googlemail.com>
+
+CVE: CVE-2017-12883
+Upstream-Status: Backport
+https://perl5.git.perl.org/perl.git/commit/2be4edede4ae226e2eebd4eff28cedd2041f300f
+
+Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
+---
+ regcomp.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/regcomp.c b/regcomp.c
+index be6cb96..5498d14 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -11918,14 +11918,17 @@ S_grok_bslash_N(pTHX_ RExC_state_t *pRExC_state,
+ 	}
+         sv_catpv(substitute_parse, ")");
+ 
+-        RExC_parse = RExC_start = RExC_adjusted_start = SvPV(substitute_parse,
+-                                                             len);
++        len = SvCUR(substitute_parse);
+ 
+ 	/* Don't allow empty number */
+ 	if (len < (STRLEN) 8) {
+             RExC_parse = endbrace;
+ 	    vFAIL("Invalid hexadecimal number in \\N{U+...}");
+ 	}
++
++        RExC_parse = RExC_start = RExC_adjusted_start
++                                              = SvPV_nolen(substitute_parse);
++
+ 	RExC_end = RExC_parse + len;
+ 
+         /* The values are Unicode, and therefore not subject to recoding, but
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb
index b55d222..93420f1 100644
--- a/meta/recipes-devtools/perl/perl_5.24.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -65,6 +65,7 @@ SRC_URI += " \
         file://perl-errno-generation-gcc5.patch \
         file://perl-fix-conflict-between-skip_all-and-END.patch \
         file://perl-test-customized.patch \
+        file://perl-fix-CVE-2017-12883.patch \
 "
 
 # Fix test case issues
-- 
2.8.1




More information about the Openembedded-core mailing list