8
0

Accepting request 845712 from home:pmonrealgonzalez:branches:devel:languages:perl

- Security fix: [bsc#1168934, CVE-2013-7488]
  * Fix infinite loop via unexpected input
- Add perl-Convert-ASN1-CVE-2013-7488.patch

OBS-URL: https://build.opensuse.org/request/show/845712
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/perl-Convert-ASN1?expand=0&rev=28
This commit is contained in:
Christian Wittmer
2020-11-03 22:13:56 +00:00
committed by Git OBS Bridge
parent e3311ad950
commit 961c77fde0
4 changed files with 46 additions and 1 deletions

View File

@@ -1,3 +1,4 @@
---
patches:
Convert-ASN1-0.22-test.diff:
perl-Convert-ASN1-CVE-2013-7488.patch:

View File

@@ -0,0 +1,32 @@
From ce148a2e0872b708450005cf0b3a944014aae990 Mon Sep 17 00:00:00 2001
From: Dana Jacobsen <dana@acm.org>
Date: Tue, 29 Oct 2013 08:37:48 -0700
Subject: [PATCH 1/2] Fix unsafe decoding in indef case
---
lib/Convert/ASN1/_decode.pm | 1 +
1 file changed, 1 insertion(+)
Index: lib/Convert/ASN1/_decode.pm
===================================================================
--- lib/Convert/ASN1/_decode.pm.orig
+++ lib/Convert/ASN1/_decode.pm
@@ -683,14 +683,16 @@ sub _scan_indef {
$pos += 2;
next;
}
+ return if $pos >= $end;
my $tag = substr($_[0], $pos++, 1);
if((unpack("C",$tag) & 0x1f) == 0x1f) {
my $b;
do {
- $tag .= substr($_[0],$pos++,1);
- $b = ord substr($tag,-1);
+ return if $pos >= $end;
+ $tag .= substr($_[0],$pos++,1);
+ $b = ord substr($tag,-1);
} while($b & 0x80);
}
return if $pos >= $end;

View File

@@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Nov 3 10:12:38 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
- Security fix: [bsc#1168934, CVE-2013-7488]
* Fix infinite loop via unexpected input
- Add perl-Convert-ASN1-CVE-2013-7488.patch
-------------------------------------------------------------------
Fri Jan 10 10:14:41 UTC 2020 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>

View File

@@ -24,9 +24,13 @@ Summary: ASN.1 Encode/Decode library
License: Artistic-1.0 OR GPL-1.0-or-later
Group: Development/Libraries/Perl
URL: https://metacpan.org/release/%{cpan_name}
Source0: http://www.cpan.org/authors/id/G/GB/GBARR/%{cpan_name}-%{version}.tar.gz
Source0: https://cpan.metacpan.org/authors/id/G/GB/GBARR/%{cpan_name}-%{version}.tar.gz
Source1: cpanspec.yml
# MANUAL BEGIN
Patch0: Convert-ASN1-0.22-test.diff
# PATCH-FIX-UPSTREAM bsc#1168934 CVE-2013-7488 Infinite loop via unexpected input
Patch1: perl-Convert-ASN1-CVE-2013-7488.patch
# MANUAL END
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: perl
@@ -42,6 +46,7 @@ rules.
%prep
%setup -q -n %{cpan_name}-%{version}
%patch0
%patch1
%build
perl Makefile.PL INSTALLDIRS=vendor