diff --git a/perl-regcomp-5.8.8.dif b/perl-regcomp-5.8.8.dif new file mode 100644 index 0000000..34006c4 --- /dev/null +++ b/perl-regcomp-5.8.8.dif @@ -0,0 +1,57 @@ +--- regcomp.c.orig 2006-01-08 20:59:27.000000000 +0000 ++++ regcomp.c 2007-10-19 22:49:41.000000000 +0100 +@@ -136,6 +136,7 @@ + I32 seen_zerolen; + I32 seen_evals; + I32 utf8; ++ I32 orig_utf8; + #if ADD_TO_REGEXEC + char *starttry; /* -Dr: where regtry was called. */ + #define RExC_starttry (pRExC_state->starttry) +@@ -161,6 +162,7 @@ + #define RExC_seen_zerolen (pRExC_state->seen_zerolen) + #define RExC_seen_evals (pRExC_state->seen_evals) + #define RExC_utf8 (pRExC_state->utf8) ++#define RExC_orig_utf8 (pRExC_state->orig_utf8) + + #define ISMULT1(c) ((c) == '*' || (c) == '+' || (c) == '?') + #define ISMULT2(s) ((*s) == '*' || (*s) == '+' || (*s) == '?' || \ +@@ -1749,15 +1751,17 @@ + if (exp == NULL) + FAIL("NULL regexp argument"); + +- RExC_utf8 = pm->op_pmdynflags & PMdf_CMP_UTF8; ++ RExC_orig_utf8 = RExC_utf8 = pm->op_pmdynflags & PMdf_CMP_UTF8; + +- RExC_precomp = exp; + DEBUG_r({ + if (!PL_colorset) reginitcolors(); + PerlIO_printf(Perl_debug_log, "%sCompiling REx%s `%s%*s%s'\n", + PL_colors[4],PL_colors[5],PL_colors[0], +- (int)(xend - exp), RExC_precomp, PL_colors[1]); ++ (int)(xend - exp), exp, PL_colors[1]); + }); ++ ++redo_first_pass: ++ RExC_precomp = exp; + RExC_flags = pm->op_pmflags; + RExC_sawback = 0; + +@@ -1783,6 +1787,17 @@ + RExC_precomp = Nullch; + return(NULL); + } ++ if (RExC_utf8 && !RExC_orig_utf8) { ++ STRLEN len = xend-exp; ++ DEBUG_r(PerlIO_printf(Perl_debug_log, ++ "UTF8 mismatch! Converting to utf8 for resizing and compile\n")); ++ exp = (char*)Perl_bytes_to_utf8(aTHX_ (U8*)exp, &len); ++ xend = exp + len; ++ RExC_orig_utf8 = RExC_utf8; ++ SAVEFREEPV(exp); ++ goto redo_first_pass; ++ } ++ + DEBUG_r(PerlIO_printf(Perl_debug_log, "size %"IVdf" ", (IV)RExC_size)); + + /* Small enough for pointer-storage convention? diff --git a/perl.changes b/perl.changes index 5a5bc19..bd7de7f 100644 --- a/perl.changes +++ b/perl.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Nov 6 09:58:35 CET 2007 - mls@suse.de + +- fix buffer overflow in regex engine CVE-2007-5116 (#332199) + ------------------------------------------------------------------- Wed Oct 31 16:04:58 CET 2007 - dmueller@suse.de diff --git a/perl.spec b/perl.spec index e3632e9..6b3b716 100644 --- a/perl.spec +++ b/perl.spec @@ -15,7 +15,7 @@ Name: perl Url: http://www.perl.org/ BuildRequires: db-devel gdbm-devel ncurses-devel zlib-devel Version: 5.8.8 -Release: 79 +Release: 82 Summary: The Perl interpreter License: Artistic License; GPL v2 or later Group: Development/Languages/Perl @@ -30,6 +30,7 @@ Source1: %name-rpmlintrc Patch: perl-%{version}.dif Patch1: perl-gracefull-net-ftp.diff Patch2: perl-makedepend.diff +Patch3: perl-regcomp-5.8.8.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -79,6 +80,7 @@ Authors: %patch %patch1 -p1 %patch2 +%patch3 %build options="-Doptimize='$RPM_OPT_FLAGS -Wall -pipe'" @@ -133,6 +135,8 @@ d="`gcc -print-file-name=include`" test -f "$d/stdarg.h" && (cd $d ; $RPM_BUILD_ROOT/usr/bin/perl -I$cp -I$cpa $RPM_BUILD_ROOT/usr/bin/h2ph -d $vpa stdarg.h stddef.h float.h) touch $RPM_BUILD_ROOT/usr/share/man/man3/perllocal.3pm touch $cpa/perllocal.pod +# test CVE-2007-5116 +$RPM_BUILD_ROOT/usr/bin/perl -e '$r=chr(128)."\\x{100}";/$r/' %if 0 # remove unrelated target/os manpages rm $RPM_BUILD_ROOT/usr/share/man/man1/perlaix.1* @@ -266,6 +270,8 @@ cat perl-base-filelist | sed -e 's/^/%exclude /g' > perl-base-excludes %doc /usr/share/man/man3/* %ghost %doc /usr/share/man/man3/perllocal.3pm.gz %changelog +* Tue Nov 06 2007 - mls@suse.de +- fix buffer overflow in regex engine CVE-2007-5116 (#332199) * Wed Oct 31 2007 - dmueller@suse.de - update rpmlintrc * Fri May 25 2007 - ro@suse.de